This is an 8-page high-level discussion of the fundamental challenges and benefits of cloud computing security, plus some of the questions that cloud service providers and organisations using cloud services need to consider when evaluating a new move, or expansion of existing services, to the cloud. This document presumes that the reader is familiar with the core concepts of cloud computing and basic principles of cloud security. It is not the goal of this paper to provide all the answers to the questions of security in the cloud or to provide an exhaustive framework for cloud security.
————
As with any other technological shift or change, security benefits and risks need to be addressed before the full benefits of cloud computing can be realised. Considerations such as compliance and risk management; identity and access management; service integrity; endpoint integrity; and information protection should all be explored when evaluating, implementing, managing, and maintaining cloud computing solutions.
- Compliance and Risk Management: Organisations shifting part of their business to the cloud are still responsible for compliance, risk, and security management.
- Identity and Access Management: Identities may come from different providers, and providers must be able to federate from on-premise to the cloud, as well as to enable collaboration across organisation and country borders.
- Service Integrity: Cloud-based services should be engineered and operated with security in mind, and the operational processes should be integrated into the organisation’s security management.
- Endpoint Integrity: As cloud-based services originate–and are then consumed–on-premise, the security, compliance, and integrity of the endpoint have to be part of any security consideration.
- Information Protection: Cloud services require reliable processes for protecting information before, during, and after the transaction.
While they bring many potential benefits, services provided through cloud computing may also create new concerns, some of which are not yet fully understood. Adopting a cloud service may also require IT organisations to adapt to data management no longer under their direct control. This is especially true in a “hybrid model” in which some processes remain on-premise and some are in the cloud, requiring new and extended security processes that encompass multiple providers to achieve comprehensive protection of information. Risk management and security management remain the responsibility of any organisation, but should be extended to include the cloud provider(s).
Clear strategies related to these five considerations[1], as well as a strong service-level framework, will help to ensure that implemented services deliver cloud computing functionality that meets security requirements and business expectations.
[1] These are just some of the question areas which must be considered. Further details and advice on cloud computing in general can be found in the papers from The Cloud Security Alliance and ENISA.
WHITEPAPER: “Cloud Computing Security Considerations”
http://bit.ly/beL73O
kurtsh
Kurt Shintaku's Blog 