Is data as secure with cloud computing as it is in a
traditional outsourced environment? Lee Newcombe, a principle
consultant at technology consultancy
Capgemini
reports
So you've seen the hype, attended the conferences, spoken to
satisfied customers and have decided that this cloud computing
stuff is for you. But, at the back of your mind you still have a
little voice muttering about security risks. What do you do
next?
Let's assume that you've done the groundwork: you have a good
idea of the types of services and data that you believe would
benefit from a shift to a cloud service and you've read both the
Jericho Forum paper describing their Cloud Cube model and the
guidance paper from the
Cloud Security
Alliance.
Cloud computing presents information risk - but probably not
significantly more than in a traditional outsourced
environment.
Start with the legal and commercial aspects - will your data
remain within the geographical constraints of your legal and
compliance obligations? Will it even remain your data? How can you
securely get data into and out of your chosen cloud? How
straightforward, costly and efficient is it to get data back from
the cloud? Can you have multiple connections between yourself and
your provider?
Now, consider the mechanisms you will use to control access to
both your data and the services that process your data. Consider
whether you will use single sign-on between your on-premise and
cloud-based applications. Examine the security services provided by
your cloud provider by default. Never forget that you can encrypt
data in transport and in storage, but at some point in memory your
data will be in the clear on shared physical kit if you're
processing in the cloud.
Examine the evidence that stated cloud provider security
practices have been implemented; look for ISO27001 certification
and examine the statement of applicability to see the scope of the
certification.
Then there is the other oft-touted problem with cloud computing:
availability. Ensure that the service availability offered by the
cloud provider is sufficient for your requirements and that the
cloud provider's availability figures are both recent and regularly
updated.
Consider the risk of provider lock-in. Lock-in can arise from
proprietary software stacks or proprietary data formats or both. It
would be problematic to move from a Force.com application coded
using Apex on to a service hosted on an Amazon Web Services image
should your requirements change. Lock-in is more of a risk the
higher up the stack you go as the scope for proprietary mechanisms
increases. Aside from traditional lock-in implications, what would
happen if your provider goes out of business or stops offering
service? Look at
the fate of Coghead customers when Coghead was closed following its
purchase by SAP.
Cloud computing now has the momentum that its forbears - utility
and grid - were never able to achieve.
We are all likely to be using cloud-based services in the
future, even if we are not always going to be aware of the fact. It
is now the role of risk professionals to make sure that we manage
this move to a new way of working in a manner that preserves the
security, operations and best interests of those we work for and of
those whose data and service we are entrusted to protect.
Security Zone: read more advice from (ISC)2 qualified security
professionals >>