Securing the Cloud

Cloud computing has now become the global buzzword across industries where organizations are looking at the delivery of computing as a service rather than a product with effective sharing of resources like software, computing devices, etc, as a utility just like the electricity over the internet. This concept fills a perpetual need of IT ie, a quick way to increase the capacity or add more capabilities without investing in new infrastructure, licensing, new softwares, etc.

Cloud computing is achieving increased popularity but concerns are being voiced about the security issues introduced through the adoption of this new model. The effectiveness and efficiency of traditional protection mechanisms are being reconsidered as this mode differs widely from those of traditional architectures.
Relative security of cloud computing services is a contentious issue which delivers a great incentive among cloud computing service providers in producing a priority in building and maintaining strong management of secure services.

The security issues have been broadly categorized into

  • Security and Privacy: Data protection, IDM, etc
  • Compliance: BCP, data recovery, etc
  • Legal: County specific lays to be adhered

Let us talk about security and privacy, specifically about data. Data has been and will be for any company its biggest intellectual property; and it has been seen that even in traditional networks, misuse of data in organizations was there. It has been proved that most security breaches are internal and more than 75% of the fortune companies at some instance have faced the issue of data loss despite having highly secured networks. Security officers noted that employees misusing the corporate data as the most serious challenge.

In terms of security for cloud based services, they should be managed at the same level as that of an enterprise. Planning will help to ensure that the computing environment is secured and is in compliance with not just the organizations and customers security policies but also country-specific regulations. To ensure a high degree of effectiveness and minimize costs, we should consider security and privacy in the initial stages itself as addressing it at a later stage could be more complex and expensive.

Some key points we should look into while deploying cloud computing environment with regards to security are:

  • Ensuring that the cloud computing environment satisfies the organizational security and privacy requirements and takes into account the storing of data and its location. Since the cloud would cater to multiple customers, it would be important to ensure data isolation using various techniques such as IAM and include data sanitization when various storage devices are replaced and ensure the removal of sensitive data from the storage device
  • Encryption of data, be it static data or data in motion. Since data processed outside the enterprise would bring an inherent level of risk, data would need to be encrypted be it static or in motion, because outsourced services bypass physical, logical, and personnel controls.
  • Identity and access management by keeping in mind the right to access data based on security controls and security policies. Ensuring proper authentication using token based authentication, based on security policy of the organization. They could be hardware or software tokens or session based tokens using mobile phones also. Access control to ensure right to know and access the data based on security policies of the organization
  • Ensure high availability and availability as services can be affected temporarily or permanently and the loss can be complete or partial. Denial of service attacks, equipment outages, and natural disasters are all threats to availability
  • Another important aspect is to look at the SLA for the same and incident reporting. This involves an organization method to deal with the consequences of an attack against the security system. The role of the providers is highly critical in performing incident response activities, including verification of the incident, analysis of the attack, containing the attack, data collection and preservation, problem remediation, and restoring the services. It would be important to regularly revisit the response plan to ensure one is able to address the differences. Collaboration between the service subscriber and provider in recognizing and responding to an incident is essential to security and privacy in cloud computing, though complexity of the service can obscure recognition and analysis.

As the cloud technology is taking shape, it is a little difficult to define its capabilities and benefits but one would need to ensure that it should be able to provide the same levels of security as that for an enterprise. Ensuring a DR/BCP plan with strong security inbuilt will make cloud computing a choice for many large organizations. Just as there are advantages to cloud computing, there are also several key security issues. One concern is that cloud computing blurs the natural perimeter between the protected inside the hostile outside. Reviewing the security of any cloud based services must be a regular process and keep in mind the availability as both could have serious impact on revenues.

Leave a Reply

Your email address will not be published. Required fields are marked *