2013 Cloud Security 7 big questions you have to face

2013 New Year's Eve, with the mass adoption of cloud computing applications, more and more users using cloud computing related products, the negative voice of the cloud computing will continue to appear, here are some chief information security officer and security enthusiasts listed Cloud computing in the security of the seven major issues, whether alarmist, cloud computing builder should be taken seriously, perhaps from the negative voice of the best way to formal innovation.

1, did not check identity at the beginning

The only way to securely log in to the cloud is through the enterprise identity management system. While many cloud services allow anyone inside an organization to register, create their own ID and password, instead of relying on the employee's personal email address at the business, this does not mean that IT or business should allow this happened.

While this may be easy at the outset, a disorganized enterprise's information management system can make an enterprise's system open to certain vulnerabilities, breach related security policies and ultimately fail to ensure cloud computing security "Said John Threens, chief security officer at Axway.

In a similar fashion, some companies are rapidly deploying IaaS services-using self-service capabilities to address the slow and dull IT department. But this approach bypasses the governance that allows cloud servers to be accessed without any defenses.

"People connect to data they should not see, like never-before-seen data about traditional projects on virtual machines," explains Stan Teng Jones, emerging technology analyst and cloud computing specialist at Information Services Group.

If it's a customer-facing cloud service? What is the access model? "How do you integrate it to allow users to log in similarly to a single internal model?" Julie Talbotha, Chief Information Security Officer, Ohio State University Byrd said.

2, turn a deaf ear to API security requirements

When companies migrate to cloud computing, users will need APIs (Application Programming Interfaces) so they can only leverage the company's services. Cloud computing brings in-house services and capabilities that are close to what customers want. API-based integration to meet this need.

Mobile developers use the API to build valuable systems on top of their in-house devices and business information. "If developers make money, these revenues cut your value chain, so you can share the benefits through the developer's API portal," explained Tirren.

Nonetheless, developers API keys to access API services have been compared with the password. Have you ever wondered what happens if you lose your password? Therefore, CIOs using the Cloud Services API need a solid API key protection plan.

3, cloud providers did not maintain sufficient independence

As cloud services evolve and new providers emerge, older vendors such as Amazon and Facebook already include best practices into their standards, and their offerings also serve small businesses, According to Helens said.

"This is a revolutionary way of deploying cloud computing for your in-house infrastructure," said Talens.

Everything is still evolving, and the best cloud solution today may not be the best tomorrow. Vendors' efforts on new standards, TOSCA and CAMP (both from OASIS, the Organization for the Advancement of Structured Information Standards) and the tools they provide, allow businesses to move to the cloud infrastructure without inevitably locking themselves in A given cloud.

Businesses should use these tools to keep their independence so they can switch themselves to the new cloud approach to better suit the needs of their business. Business resilience is good also in terms of operational risk management, if you need to be more flexible so you can quickly move to another service provider.

4, think you are already outsourced the risks and responsibilities out

Businesses can outsource some infrastructure to cloud services but can not completely outsource your business risks, accountability, and compliance with related obligations. Businesses need to provide their cloud providers a degree of transparency in order to get them fully informed about their risk models and corporate policies.

These requirements can show you some assessment and risk management that your cloud service provider may or may not be suitable for your business. "You can not just sign a contract with a cloud service provider and ask the cloud provider to take on all the risks," said Tailunns. Of course, cloud computing providers can not be as concerned about your business as yourself risk.

An example from the spring of last year, companies that moved all their businesses to a single Amazon E2C service experienced serious downtime issues. Businesses that store their data in more than one available area are quickly rehabilitated due to the risk diversification.

5, signed a cloud solution contract without IT and security involvement

In the absence of relevant technical background, you can easily register and select a number of large and small cloud providers. With so many cloud services on the market: Dropbox, SharePoint, Amazon's extra computing power, and so on, your business may already be using cloud computing services without IT-related expertise as easy as entering your credit card numbers !

"The idea is that they can bypass many IT project requirements and create productivity," said Jerry Owen, CIO of Prescient Solutions and a member of the National Cyber ​​Security Task Force.

Unfortunately, this approach introduces many new security, performance and fault tolerance issues. Implementing enterprise solutions without the involvement of IT departments can create conflicts between users and existing systems, configurations, and applications. Unqualified personnel have little understanding of regulatory and compliance requirements and may have more trouble with them.

"Although these cloud applications can provide rapid resolution of specific functional requirements, the risks and vulnerabilities they pose can result in significant cost penalties, system downtime, violations and fines," Owen explained.

It is for these reasons that all cloud adoption requires risk assessment, contract review, compliance checks and in-house policy reviews.

Without any IT, procurement, or other related departments before deploying and adopting cloud computing, businesses may lose all their governance of related data, applications, services, and infrastructure. Talbotha Byrd said.

6, overestimating cloud security

Steve Durbin, global executive vice president of the Information Security Forum, said hurried adoption of cloud services and potential savings could put businesses in the spotlight on the capabilities of cloud-based services without concern for cloud service providers providing a secure way or How to check in safety

This is often the case in organizations that take it for granted that cloud service providers serve multiple businesses and that they must have a stronger security department and strong policies, processes and procedures.

"That's often not the case," Owen said.

Usually cloud service providers will participate in the basic level of internal security, automatic deployment of security applications and platforms to complete most of the security measures. Other cloud providers may outsource higher level core security services to specialized third-party vendors. However, the services of third-party providers of security services may not include the related assistance required by the contract signed by the cloud computing provider and the customer.

"You must ask service providers to maintain certain security features, document security tasks, and provide a copy of all security policies and programs and security reports," Irving said.

7, do not understand the related costs

When cloud providers showcase their products, they often show only basic product costs based on potential customers.

"Unfortunately, after selecting a service provider, businesses often require additional services, software license licenses, and even hardware to perform all their tasks," Owen said. The cost of security and compliance with the relevant provisions of the same will rise. Organizations underestimate the cost of cloud computing and even as they meet some unrealistic expectations of internal IT resources, they will need to understand the number of applications in the cloud.

"Depending on the type of service (ie, SAAS, PAAS, IAAS) that cloud services provide, the amount of resources needed within the organization may not change. In fact, many of our customers who deploy cloud computing are not deploying cloud computing Reduce the allocation of their internal functions of the relevant departments. "Irving said.

In any case, the likelihood of an enterprise outsourcing 100% of its applications and systems to the cloud is minimal. Even if companies move most of their systems to cloud solutions, they still have internal infrastructure, workstations, and engineers. "In this way, the cost of IT is only minimally affected," Owen said.

(Editor: Shi Bo-peng)