The cloud is a means by which global class, highly scalable and flexible services can be delivered and consumed over the internet through an as-needed, pay-per-use business model.
This is one of HP's core definitions for cloud computing. For more approaches and definitions you can look at the Jericho Forum Cloud Cube model, the Cloud Security Alliance best practices guidelines and NIST recently offered a view of cloud as part of their investigation into cloud computing. More are out there, but these provide a good baseline.
The cloud offers great benefits for any type of business looking to manage costs and effort in their IT services. However, business expectations of cloud solutions are also very complex. My colleague Fred Cummins has posted an excellent post on the "Business Expectations for Cloud Computing". Having been asked to lead some of HP's Cloud Security efforts, I wanted to expand on some of these thoughts in relation to security, as well as review some of the related market shifts we are dealing with.
In this thread I primarily take the enterprise or business focus, but by no means does that restrict the conversation to those entities. It is critical to consider the requirements and impact of cloud security on the actual individual consumer of cloud services, as well as the actual cloud OR service providers themselves.
I started at a high level, and I consider the security of cloud services requires. Each of these is a trigger term with a short description of the risk area I am referring to. I'll describe each in detail in upcoming posts:
- 1. Here Today, Gone Tomorrow - viability, disaster, and stupidity are just some of the reasons your provider may not be there.
- 2. Trust but Verify - Cloud providers my offer better security, but your business needs ongoing GRC.
- 3. Ride the Wave or Get Dumped - barring capital punishment, business groups will take the easiest tool to get the job done.
- 4. Isolation is Bliss, until it's not - so many walls are needed to protect you business data and processes and data loss prevention is just one start. In parallel, being isolated is a issue if it means you cannot get your data out of the vendor.
- 5. Who, What, Where, How? - Identity Management does not go away in the cloud; in fact it becomes more important.
- 6. You can Delegate, but you can't Abdicate Responsibility.
These are not new issues; they just require some thought and analysis to define what it means when talking about cloud services. Many other folks have lists of 7, 10, even 11... For example, as part of this effort I also took a look at the various analyst and journalistic efforts. Gartner "Seven cloud-computing security risks". In summary the risks are:
1. Privileged user access
2. Regulatory compliance.
3. Data location.
4. Data segregation
6. Investigative support
7. Long-term viability
I am trying to provide some broad buckets to make sure we can discuss what security risks are important to each participant (consumer, business customers, service providers etc.)
What's really needed to help organizations better understand their cloud security requirements?
Awareness is the start.
My list is still a work in progress, so let's work it together...