Cloud computing could help improve security, says Microsoft.
Cloud computing adds security challenges, but also provides opportunities to improve security posture, according to Steve Lipner, senior director of security engineering strategy at Microsoft.
In addition to traditional threats such as cross-site scripting, code injection and denial of service, cloud computing expands some of those threats and introduces others, he said.
“Data privacy issues such as data location and segregation, and privileged access control, become greater in the cloud, for example,” he said.
Threats introduced by cloud computing infrastructures include new types of privilege escalation vulnerabilities from virtual machine (VM) to host or VM to VM.
“These are the kinds of new issues that organisations looking at cloud services need to ensure have been taken care of by service providers,” said Lipner.
But the good news, he said, is that the cloud computing model also provides opportunities to mitigate threats, such as slow or incomplete security patching.
“With cloud services, patching is automated to ensure all applications are up to date from a security point of view at all times,” said Lipner.
Instances of applications can also be run on more secure systems within the service providers’ infrastructure and there is greater resilience across the service, he said.
But Lipner said the decision to move to cloud services is ultimately a business decision that must be taken based on a risk analysis.
“There is always a trade-off between cost and security,” he said.
At one end of the spectrum, private clouds provide the highest level of control, but no economy of scale, while public clouds provide the greatest economies of scale with little control.
“Organisations need to find the right balance by getting the information and assurances they need to make informed risk management decisions,” said Lipner.
Microsoft is banking on a combination of transparency about what it is doing to provide secure online services and third-party validation. All Microsoft online services and software conform to the company’s security development life-cycle principles, ISO 27001 and Common Criteria for IT security.
Compliance with these standards and objectives is validated by the certifying bodies and an annual third-party SAS 70 audit.
“In choosing a cloud services provider, organisations should look at reputation, openness and certification,” said Lipner.
In these early days of cloud computing, these are the only things organisations can take into account in order to make informed decisions, he said.