Cloud computing provides the convenience and cost-saving benefit of placing computing and storage resources on demand, all without the need for internal infrastructure. As the technology arrangement becomes more popular, however, additional cloud computing security measures are necessary to ensure the continued protection of the integrity, confidentiality and availability of enterprise data.
In part 1 of this chapter excerpt from
The Shortcut Guide to Prioritizing Security Spending:
Chapter 3: Security and the Dynamic Infrastructure
Table of contents:
Part 1: How to justify information security spending on cloud computing
Part 2: How to protect distributed information flows
There are many ways to organize cloud computing offerings into various taxonomies; for our purposes, we will focus on two distinct categories: desktop software replacement services and back-office infrastructure.
Desktop Software Replacement
The time and cost of maintaining desktop software may be reduced with the advent of cloud‐based desktop software replacements. With a cloud-based service, organizations may lower software licensing costs and reduce maintenance overhead. Google Docs, Zoho, and ThinkFree Office are a few examples of cloud-based alternatives to traditional desktop software. These services provide the core functionality one would expect from a desktop office suite, including word processing, spreadsheets, presentation software, and in some cases, databases. Zoho, for example, shows how far cloud-based services can be pushed with additional support for online document management, project management, customer relationship management (CRM), and human resources applications. Virtualized desktops running office suites on servers within the enterprise have some similarities to cloud services but are a distinct model that is different from cloud computing.
Back-office infrastructure includes servers and storage arrays as well as higher-level, application-specific functionality. Collectively, the higher-level functions are described as "X as a Service" where X could include middle-tier services, such as databases and applications services or broader services such as CRM, HR, and security management.
One of the distinguishing characteristics of back-office offerings is the level of control over management and design the customer retains. Consider three example scenarios:
- Scenario 1: A customer purchases access to a servers and storage services as needed. The
customer determines which OS is run on the servers, when the servers are started, how long they are
run, and what level of access controls will be applied to the server. Storage is allocated as
needed, and the customer retains responsibility for backup and disaster recovery. (In which case,
the customer may assume that the cloud providers redundancy in the storage service is sufficient,
but that is a risk-management decision that may not be appropriate for all customers).
- Scenario 2: The customer purchases a database and application server service. The customer
determines which database and application server it will run and the number of instances of each.
The cloud service provider manages the physical aspects of the database, ensuring space is
allocated on underlying file systems and the database is sufficiently patched and properly
configured. The customer designs the overall database architecture and monitors performance, but
the cloud provider attends to implementation details.
- Scenario 3: A customer purchases a cloud-based enterprise application service, such as an HR
management system. The customer manages data in the system and determines user access and
privileges, but relies on the service provider to ensure availability of the system, appropriate
backup and recovery operations, architecture and application design of the system, patching and
As these three scenarios demonstrate, cloud computing is a range of services defined by customer and service providers finding an appropriate distribution of labor between the two. In Scenario 1, the customer retains the most control but also has the most responsibility for developing and maintaining applications. In Scenario 3, the customer has the least responsibility for management details and, presumably, the least control over implementation details. Choosing the right combination of services is largely dictated by the customer's core competencies, ability to design and maintain IT applications, and the fit of service provider offerings to the customer's business strategy. Security considerations, in many cases, will factor heavily in cloud computing decisions.
Security Considerations with Cloud Computing
Regardless of whether a customer uses desktop software services or some combination of back-office applications and services, there are security issues to take into consideration:
- Encryption and other
- data security measures
- Availability and service level agreements (SLAs)
- Compliance with government and industry regulations
- Ensure cloud based applications are secure
As with the types of services offered, cloud service provider offerings can vary in their security characteristics.
Encryption and Other Data Security Measures
One of the first questions to consider about cloud security is: What could happen with your data? Confidentiality is an obvious concern and encryption is usually part of the solution when confidentiality is required. There are different ways to approach the use of encryption.
The cloud provider could encrypt data stored in its data centers. This is an approach taken by Amazon's S3 storage service. Customers generate a key that is associated with an account, and data is encrypted with that key when it is stored in the cloud. The advantage of this approach is that all data stored to the cloud is encrypted. The disadvantage, at least to some, is that the cloud provider controls the encryption process.
An alternative approach is to encrypt data locally before sending it to the cloud. This setup might appeal to those who need to maintain finer‐grained controls over the encryption process, but there is the possibility that someone could upload confidential data that has not been encrypted.
Another advantage of encryption is that cloud providers would have less need to sanitize data blocks after they have been deallocated by a customer. The data is encrypted, so the next customer to use that data block, if they could read it before writing to it, would not be able to make sense of the data (assuming strong encryption and private keys of the previous user are not known to the current user of the data block). If data is not encrypted, there is more need for sanitizing storage before allocating to another user.
One way to evaluate cloud storage is to consider how the cloud provider's practices compare with the ones used with physical devices in your own company or organization. For example, when a server is removed from service, the hard drives are probably overwritten using some kind of hard drive overwrite software so that data cannot be recovered after you lose physical control of the device. Is the functional equivalent of disk overwriting available from the cloud provider?
Availability and SLAs
Highly distributed architectures, such as used in cloud environments, can take advantage of redundancy to ensure availability. If a data center on the East Coast of the US is inaccessible, customers could still access their applications and information using a data center in the Midwest. A bad controller in one disk array would not result in lost data because the same data is written to multiple other storage devices. This is the theory, at least, when it comes to availability. In practice, well-defined SLAs trump theory. Availability and SLA issues with cloud computing include:
- The total amount of contracted downtime over some period of time (for example,per month or per year)
- The longest acceptable continuous period of downtime; downtime in excess of that presumably results in compensation to the customer
- Backup services, if any
More cloud confusion?
A panel at this year's Bay Area SecureWorld spoke about security challenges with cloud computing services.
One should also consider cases in which cloud services are not available. If a cloud-based application or data storage service is unavailable for hours or days, how would that affect operations?
An essential but much more difficult question to assess, is how likely is an occurrence of unavailability? From a risk analysis perspective, one could use past performance as a basis for estimating the likelihood of an outage; however, past conditions may not be the same as current or future conditions. Cloud providers may have many more customers in the future and have to accommodate larger volumes of data. Will their architectures continue to scale? Are there potential bottlenecks outside of their control, such as an ISP that cannot scale up bandwidth as fast as a data center needs for peak demand? Of course, serious cloud providers build redundancy and sufficient capacity into their infrastructure, but these are still questions to consider when outsourcing computing and storage services.
Compliance issues will also require careful consideration. A CTO asked to sign off on a Sarbanes‐Oxley Act compliance report will want to know their cloud provider's procedures and practices are sufficient to maintain compliance. There are a range of topics that could fall under compliance:
- Access controls to data to ensure that only users authorized by the customer have access to data
- The cloud provider offers protections to prevent potential abuse by administrators and other privileged users operating the cloud infrastructure
- When data is deleted, it becomes irrecoverable in all redundant copies and backups, if any
- Sufficient logging and monitoring is in place to meet compliance requirements Shifting
responsibilities to cloud providers to meet some of the compliance requirements on a company should
be done only after ensuring the cloud provider can actually meet audit and compliance requirements.
Infrastructure Security in the Cloud
When we put money in a bank, we usually assume it is safe. Banks have developed a security infrastructure and risk management procedures that have, at least until recently, presumed to be sufficient to protect depositors' assets. Even in cases in which individual banks fail, federal government guarantees virtually eliminate the risk of a loss. Some day, we may have the same level of trust and guarantees in the cloud computing industry, but they are not in place yet. Customers conducting due diligence on cloud providers will want to understand the providers' policies and procedures with regard to physical security in data centers, access controls, identity provisioning and de-provisioning, protection for data during transmission, disaster recovery procedures and guarantees, and employee background checks, to name a few.
Cloud computing is changing the economic equation of IT services, but along with the benefits come variations on long‐understood security concerns. As consumers of cloud-computing services, we need to adapt our security strategy to accommodate these new concerns.
Move on to part 2 of the chapter excerpt, How to protect distributed information flows.
This was first published in November 2009