Cloud Computing : Security perspective – Part 25

Cloud computing security

Cloud computing security (sometimes referred to simply as “cloud security”) is an evolving sub-domain of computer security, network security, and, more broadly, information security.

It refers to a broad set of policies, technologies, and controls deployed to protect data, applications, and the associated infrastructure of cloud computing.

Cloud security is not to be confused with security software offerings that are “cloud-based” (a.k.a. security-as-aservice).

Security issues associated with the cloud

There are several security issues/concerns associated with cloud computing but these issues fall into two broad categories:

• Security issues faced by cloud providers (organizations providing Software-, Platform-, or Infrastructure-as-a-Service via the cloud)
• security issues faced by their customers.

In most cases, the provider must ensure that their infrastructure is secure and that their clients’ data and applications are protected, while the customer must ensure that the provider has taken the proper security measures to protect their information via audits and governance.

 

Dimensions of cloud security

Correct security controls should be implemented according to asset, threat, and vulnerability risk assessment matrices.

While cloud security concerns can be grouped into any number of dimensions (Gartner names seven while the Cloud Security Alliance identifies thirteen areas of concern) these dimensions have been aggregated into three general areas:

• Security and Privacy
• Compliance,
• Legal or Contractual Issues.

 

Compliance

Numerous regulations pertain to the storage and use of data, including Payment Card Industry Data Security Standard (PCI DSS), the Health Insurance Portability and Accountability Act (HIPAA), and the Sarbanes-Oxley Act, among others.

Many of these regulations require regular reporting and audit trails.

Cloud providers must enable their customers to comply appropriately with these regulations.

 

Business continuity and data recovery

Cloud providers have business continuity and data recovery plans in place to ensure that service can be maintained in case of a disaster or an emergency and that any data lost will be recovered.

These plans are shared with and reviewed by their customers.

 

Legal and contractual issues in Cloud

Aside from the security and compliance issues enumerated above, cloud providers and their customers will negotiate terms around liability (stipulating how incidents involving data loss or compromise will be resolved, for example), intellectual property, and end-of-service (when data and applications are ultimately returned to the customer.

 

Public records

Legal issues may also include records-keeping requirements in the public sector, where many agencies are required by law to retain and make available electronic records when requested.

This may be determined by legislation, or the law may require agencies to conform to the rules and practices set by a records-keeping agency.

Public agencies using cloud computing and storage must take these concerns into account.