It
seems that my previous
post on compliance and third parties struck a chord with a few of you... So
I guess it’s about time I dedicated some time to “The Cloud” specifically! Over
the past couple of years, we have seen a lot of hype and confusion as to what
The Cloud really means and what it can do for you. I think we have now reached
the stage where there is perhaps a bit of disappointment that The Cloud, due to
inflated expectations, is perhaps not a miracle...
Undeniably,
the key opportunity for service providers is to differentiate themselves by becoming
cloud service providers and major efforts are still being invested to attain a
recognised position in the new clouds. The key issues for businesses when determining
cloud adoption still revolve around security and control, capacity or scale
flexibility and availability of skilled workforce.
Evidently,
there are a lot of exciting opportunities in the Cloud, where organisations can
see the potential to reduce capital costs and become more agile by divesting
themselves of infrastructure and application management to concentrate on their
core competencies. As with any technology, it creates risks as well as
opportunities. In some cases, moving to the cloud provides an opportunity to
re-architect older applications and infrastructure to meet or exceed modern security
requirements. At other times, the risk of moving sensitive data and
applications to an emerging infrastructure might exceed tolerance levels.
The
fact remains: Cloud Computing isn’t
necessarily more or less secure than your current environment. Unfortunately,
misconceptions still abound, not only about what The Cloud really is but also about
security in The Cloud. I guess the limitations on cloud computing growth will
include issues of data custody, control, security, privacy, and jurisdiction
and portability standards as highlighted on my previous post on EU
Data Protection Laws. Adopting cloud computing is a complex decision that
will involve many factors, including not only desktop applications, e-mail,
collaboration and enterprise resource planning but potentially any application
and the infrastructure they require. It is therefore not surprising that
enterprises are grappling with the dichotomy of how to lose control gracefully
whilst maintaining accountability when operational responsibilities for
handling and securing their assets rests with one or more third parties.
At
this point, I have to thank the Cloud
Security Alliance for their tireless efforts in promoting best practice for
not only securing the cloud but also all other forms of computing. Today’s post
attempts to provide some definitions and takes its inspiration from their Cloud
Security Alliance: Security Guidance for Critical Areas of Focus in Cloud Computing
v3.0 (November 2011)
One
of the fundamental considerations when trying to assess cloud computing
security risks is understanding the relationship between Cloud Service Models,
commonly referred to as SPI (Software as a Service, Platform as a Service, Infrastructure
as a Service) as defined by NIST:
IaaS
is the foundation of all cloud services, and is the lowest level infrastructure
resource stack. It gives the capability, if required, to abstract resources and
provides physical and logical connectivity to those resources as well as a set
of APIs which allows “consumers” to interact with the infrastructure.
PaaS
builds on IaaS and provides an additional integration layer with application
development frameworks, middleware, programming languages and tools supported
by the stack as well as functions allowing developers to build applications on
the platform.
SaaS
in turn builds on PaaS and is a self-contained operating environment to deliver
the entire user experience.
The key consideration for security is that
the lower down the stack the cloud service provider stops, the more
organisations will be responsible themselves for managing and implementing security
for their assets,
as summarised by the figure below:
This
means that organisations should adopt a risk-based approach when considering moving
assets to the cloud. This will involve risk assessments and some elements of
threat scenario modelling:
- What enterprise asset (data or applications/ functions/ processes) is being considered for a potential move to the Cloud and how sensitive is that asset?
- What would be the impact of the asset being made public?
- What would be the impact of the asset being changed unexpectedly?
- What would be the impact of the asset being unavailable?
- What would be the impact of cloud service provider employee accessing the asset?
- What would be the impact of a process or function being manipulated by an outsider?
- What would be the impact of a process or function failing to provide the expected results?
In
other words, the first step in
determining a Cloud migration “posture” is to categorise and evaluate the asset
for confidentiality, integrity and availability and how these will be affected
if the asset is handled in the cloud. And finally, it would be remiss of me
not to mention that when it comes to cardholder information related assets
(either cardholder data or payment applications) or other personally
identifiable information (PII), the process is the same, and the PCI DSS controls
fit neatly with the security control model to be applied to a cloud model.
My
next post will look at how cloud deployment models and location will affect
security considerations and hopefully give you some tips on contractual
matters. In the meantime, you can also read this very interesting article from The Metropolitan Corporate Counsel.
Until
next time...
Hi Neira - Just thought I'd mention that NAVIGATING THROUGH THE CLOUD is a registered trademark of my organisation. Regards Rob Livingstone ( http://www.navigatingthroughthecloud.com/ )
ReplyDeleteHi Rob, many thanks for letting me know. Great website!
ReplyDeleteKind regards,
Neira
No Problem - Also, happy to collaborate in any way that you think may be of value. I'm absolutely vendor agnostic, technology independent and my mission is to help everyone avoid crashing into the metaphorical mountain as they hurtle through the clouds, so to speak. My approach is to challenge perceptions, opinions and assumptions to help others become better self-informed, then sensible commercial decisions get made! Also, I Love your writings - clear, no nonsense and just like a cruise missile - bang on target! Feel free to keep in touch All the best, Rob
ReplyDeleteThanks Rob, I will keep you in mind! :)
DeleteRemarkable article, it is particularly useful! I quietly began in this, and I'm becoming more acquainted with it better! Delights, keep doing more and extra impressive! cassaforte ufficio
ReplyDeleteMost users perceive a web hosting provider as a company who offers server space, bandwidth and maximum uptime for websites. This is basically due to the lack of necessary knowledge or may be due to lack of research. Actually,there are many more responsibilities that a web hosting company needs to play on a day to day basis. And, a web host who successfully fulfills all these responsibilities is awarded as The Best Web Hosting. wordpress hosting
ReplyDelete