Article Options
Archie Reed’s Secure Observations Blog
A look at security - in the cloud, in the enterprise, in ... trouble?

Cloud Security - Key Risks for Cloud Computing

ArchieReed| May 29, 2009
2 Comments
0


The cloud is a means by which global class, highly scalable and flexible services can be delivered and consumed over the internet through an as-needed, pay-per-use business model.


This is one of HP's core definitions for cloud computing. For more approaches and definitions you can look at the Jericho Forum Cloud Cube model, the Cloud Security Alliance best practices guidelines and NIST recently offered a view of cloud as part of their investigation into cloud computing. More are out there, but these provide a good baseline.


The cloud offers great benefits for any type of business looking to manage costs and effort in their IT services. However, business expectations of cloud solutions are also very complex. My colleague Fred Cummins has posted an excellent post on the "Business Expectations for Cloud Computing". Having been asked to lead some of HP's Cloud Security efforts, I wanted to expand on some of these thoughts in relation to security, as well as review some of the related market shifts we are dealing with. 


In this thread I primarily take the enterprise or business focus, but by no means does that restrict the conversation to those entities. It is critical to consider the requirements and impact of cloud security on the actual individual consumer of cloud services, as well as the actual cloud OR service providers themselves.


I started at a high level, and I consider the security of cloud services requires. Each of these is a trigger term with a short description of the risk area I am referring to. I'll describe each in detail in upcoming posts:



  • 1. Here Today, Gone Tomorrow - viability, disaster, and stupidity are just some of the reasons your provider may not be there.

  • 2. Trust but Verify - Cloud providers my offer better security, but your business needs ongoing GRC.

  • 3. Ride the Wave or Get Dumped - barring capital punishment, business groups will take the easiest tool to get the job done.

  • 4. Isolation is Bliss, until it's not - so many walls are needed to protect you business data and processes and data loss prevention is just one start. In parallel, being isolated is a issue if it means you cannot get your data out of the vendor.

  • 5. Who, What, Where, How? - Identity Management does not go away in the cloud; in fact it becomes more important.

  • 6. You can Delegate, but you can't Abdicate Responsibility.


These are not new issues; they just require some thought and analysis to define what it means when talking about cloud services. Many other folks have lists of 7, 10, even 11... For example, as part of this effort I also took a look at the various analyst and journalistic efforts. Gartner "Seven cloud-computing security risks".  In summary the risks are:


1.       Privileged user access


2.       Regulatory compliance.


3.       Data location.


4.       Data segregation


5.       Recovery


6.       Investigative support


7.       Long-term viability


I am trying to provide some broad buckets to make sure we can discuss what security risks are important to each participant (consumer, business customers, service providers etc.)


What's really needed to help organizations better understand their cloud security requirements?


Awareness is the start.


My list is still a work in progress, so let's work it together...


Labels: cloud| GRC| identity management| security
Labels:
Comments
Anonymous(anon) | ‎09-11-2009 05:40 AM
Options

Cloud computing, the dynamic data center.

Cloud computing helps to increase the speed at which applications are deployed, helping to increase the pace of innovated networked computing.  Service deployed applications;  Cloud computing can be provided using an enterprise data center’s own servers, or it can be provided by a cloud provider that takes all of the capital risk of owning the infrastructure.

Cloud computing incorporates virtualization, data and application on-demand deployment, internet delivery of services, and open source software.  Virtualization enables a dynamic data center where servers provide resources that are utilized as needed with resources changing dynamically in order to meet the needed workload.  

The combination of virtual machines and virtual appliances used for server deployment objects is one of the key features of cloud computing.  Additionally, company’s can merge a storage cloud that provides a virtualized storage platform and is managed through an API, or Web-based interfaces for file management, and application data deployments.

Layered Service providers offering pay-by-use cloud computing solutions can be adjacent to company’s equipment leases. Public clouds are run by third party service providers and applications from different customers are likely to be mixed together on the cloud’s servers, storage systems, and networks.  Private clouds are built for the exclusive use of one client, providing the utmost control over data, security, and quality of service. Private clouds can also be built and managed by a company’s own IT administrator.  Hybrid clouds combine both public and private cloud models which may be used to handle planned workload spikes, or storage clouds configuration.  Dedicated audits for security policies are a must.

The benefits of deploying applications using cloud computing include reducing run time and response time, minimizing the purchasing and deployment of physical infrastructure. Considerations for Energy efficiency, flexibility, simplified systems administration, pricing based on consumption, and most of all limiting the footprint of the data center.  Virtualized solutions:  http://www.shopricom.com

0
SecurityBuzz(anon) | ‎07-13-2010 05:58 PM
Options

Trust but verify. Excellent point. The challenge, however, is exactly how does one "verify" a cloud provider is doing what they should be doing - or at least what they claim to be doing - from a security perspective.  Annual certifications are great, but they're annual and process oriented. What about the other 360+ days a year, and the public-facing (bad-guy facing) technologies.  Our POV is that the best way to "verify" is using a combination of annual certs (ISO 27001/PCI/etc.) with "daily" validation.  As a first step, we launched a program that checks the baseline, external facing network and application for vulnerabilities. At the very least, it provides some validation from a neutral, third-party expert - in our case, McAfee. 

 

That aside, I think you hit on an important idea around verifying. Thank you for the post.

0
Leave a Comment

We encourage you to share your comments on this post. Comments are moderated and will be reviewed
and posted as promptly as possible during regular business hours

To ensure your comment is published, be sure to follow the community guidelines.
Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
 
Search
turn on suggestions Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
About the Author
Follow Us