By Thomas Bbosa
Cloud computing is here, and has been embraced by many an organization. Cloud computing as defined by the US National Institute of Standards and Technology (NIST) is “a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.”
Cloud computing is basically about outsourcing IT resources just like you would outsource utilities like Electricity or water off a shared public grid. The cloud services options include: Software as a Service (SaaS); Platform as a Service (PaaS) and Infrastructure as a Service (IaaS).
Cloud computing has become popular because, Enterprises are constantly looking to cut costs by outsourcing storage, software (as a service) from third parties, allowing them to concentrate on their core business activities. With cloud computing, enterprises save on setting up their own IT infrastructure which would otherwise be costly in terms of initial investment on hardware and software, as well as continued maintenance and human resource costs.
According to the Gartner report on cloud security, enterprises require new skill set and to handle the challenges of cloud security and need to ensure that their cloud service provider has most of “the boxes ticked” and that they have their security concerns addressed.
Cloud computing, being a somewhat a new field of IT with no specific standards for security or data privacy, therefore continues to present managers with several challenges. There is need for your provider to be able to address some of the issues that come up including the following:
Access control / user authentication: How is the access control managed by your cloud service provider? To be more specific, Do you have options for role based access to resources in the cloud,? How is the process of password management handled? How does that compare to your organization’s Information security policy on access control?
Regulatory compliance: How do you reconcile the regulatory compliance issues regarding data in a totally different country or location? How about data logs, events and monitoring options for your data; does the provider allow for audit trails which could be a regulatory requirement for your organization?
Legal issues: Who is liable in case of a data breach? How is the legal framework in the country where your cloud provider is based, visa vi your own country? What contracts have you signed and what issues have you covered/discussed with the provider in case of legal disputes. How about local laws and jurisdiction where data is held? Do you know exactly where you data is stored? Are you aware of the conflicting regulations on data and privacy? Have you asked your provider all the right questions?
Data safety: Is your data safe in the cloud? How about the problems of Man-in-the-middle attacks and Trojans, for data moving to and from the cloud. What are the encryption options offered by the provider? Another important question to ask is; who is responsible for the encryption /decryption keys? . Also you will find that cloud providers work with several other third parties, who might have access to your data. Have you had all these concerns addressed by your provider?
Data separation / segregation: Your provider could be hosting your data along with several other clients’ (multi-tenancy).. Have you been given verifiable assurance that this data is segregated and separated from the data of the provider’s other clients? According to the Gartner report, its a good practice to find out “what is done to segregate data at rest.”
Business continuity: What is the acceptable cloud service down time that you have agreed with your provider? Do these down times compare well with your organization acceptable down time policy? Are there are any penalties/ compensations for downtime, which could lead to business loss? What measures are in place by your provider to ensure business continuity and availability of your data / services that are hosted on their cloud infrastructure in case of disaster? Does your provider have options for data replication across multiple sites? How easy is restoring data in case a need arises?
Cloud services providers have increased their efforts in addressing some of the most pressing issues with cloud security. In response to cloud security challenges, an umbrella non-profit organization called the Cloud Security Alliance was formed, some of its members include: Microsoft, Google, Verizon, Intel, McAfee, Amazon, Dell, HP, among others, its mission is “To promote the use of best practices for providing security assurance within Cloud Computing, and provide education on the uses of Cloud Computing to help secure all other forms of computing.”
(Thomas Bbosa is an Information Systems security Consultant and Managing Partner with BitWork Consult Ltd – ( http://www.bitworkconsult.com ) an East African IT security consulting firm, based in Kampala, Uganda).
Reproduced from http://EzineArticles.com