Cloud Computing Security
Security best practices are defined by top CIOs
- The inherent system complexity of a cloud computing environment, and the dependency on the correctness of these components and the interactions among them
- The dependency on the service provider to maintain logical separation in a multi-tenant environment (n.b., not unique to the cloud computing model)
- The need to ensure that the organization retains an appropriate level of control to obtain situational awareness, weigh alternatives, set priorities, and effect changes in security and privacy that are in the best interest of the organization
Key security considerations include the need to:
- Carefully define security and privacy requirements during the initial planning stage at the start of the systems development life cycle
- Determine the extent to which negotiated service agreements are required to satisfy security requirements; and the alternatives of using negotiated service agreements or cloud computing deployment models which offer greater oversight and control over security and privacy
- Assess the extent to which the server and client-side computing environment meets organizational security and privacy requirements
- Continue to maintain security management practices, controls, and accountability over the privacy and security of data and applications
The need to lower cost, increase efficiency and conserve cash has increased the motivation of companies to turn to Cloud Computing and increased the appeal of alternative delivery models. The disruptive shifts in new demand and supply patterns drives changes for how IT services are bought and from whom.
Three main security and privacy issues that need to be covered in any contract with a vendor:
- Adaquecy of Policies and Practices. The security and privacy policies and practices of the cloud provider might not be adequate or compatible with those of the organization. This can result in undetected intrusions or violations due to insufficient auditing and monitoring policies by the cloud provider; lack of sufficient data and configuration integrity due to a mismatch between the organization's and the cloud provider's policies for separation of duty (i.e., clear assignment of roles and responsibilities) or redundancy (i.e., having sufficient checks and balances to ensure an operation is done consistently and correctly); and loss of privacy due to the cloud provider handling sensitive information less rigorously than the organization's policy dictates.
- Confidentiality and Integrity of Services. Insufficient security controls in the cloud provider's platform could affect negatively the confidentiality and privacy, or integrity of the system. For example, use of an insecure method of remote access could allow intruders to gain unauthorized access, modify, or destroy the organization's information systems and resources; to deliberately introduce security vulnerabilities or malware into the system; or to launch attacks on other systems from the organization's network, perhaps making it liable for damages.
- Availability. Insufficient safeguards in the cloud provider's platform could negatively affect the availability of the system. Besides the applications directly affected, a loss of system availability may cause a conflict for key resources that are required for critical organizational operations. For example, if disruptive processing operations are performed by the cloud provider (e.g., load rebalancing due to site failure or emergency maintenance) at the same time as peak organizational processing occurs, a denial of service condition could arise. A denial of service attack targeted at the cloud provider could also affect the organization's applications and systems operating in the cloud or at the organization's data center.
The Practical Guided for Cloud Outsourcing Template includes -- Sample Cloud Outsourcing Contract along with a Service Level Agreement and other tools to facilitate the cloud outsourcing process. The template includes Janco's exclusive Business and IT Impact Questionnaire.