To understand why cloud computing is a significant and confusing trend, we must have a basic understanding of the definition of cloud computing. At the highest level, cloud computing represents an unstoppable shift from hardware and software purchases to infrastructure costs, to "renting" tool-style services on demand and operating budgets. The implication of cloud computing is that redundant computing resources can be dynamically distributed, so companies can eliminate waste by buying only those computing services they need. This dynamic role provides the business flexibility of a new concept, because over time, the enterprise will be able to apply the concept of "just-in-time production" to computing work. In fact, this is not a theory, but some small and medium sized enterprises that can only make limited investments in traditional computing have been active in cloud computing, and have created competitive pressures on larger companies, forcing them to take the same approach to cloud computing.
The Institute of National Standards and Technology (NIST) has developed a wide range of terminology used to describe various aspects of cloud computing. NIST defines three major delivery patterns for the cloud, called the S-p-i mode:
Software as a service (SaaS), the entire business application as a service to provide;
Platform is a service (PaaS), allowing rapid application development in the cloud;
Architecture is the service (IaaS), which is provided for simple operating system (OS) and storage functions as a service.
NIST further defines the four configurations of cloud computing:
Public cloud, the Internet Access Service for a wide range of customer base;
Private cloud, configured for a single mechanism;
Community Cloud, a limited number of related organizational designs for the supply chain;
Mixed cloud, any combination of the above three configuration modes.
In order to provide cloud computing as a low-cost tool, cloud service providers must master some management issues to form economies of scale. Technologies such as virtualization can be used to get all possible CPU cycles and free disk space. In addition, new management tools have been designed to automate customer provisioning and resource allocation. Creating an efficient economies of scale will inevitably lead to a mixture of data and other assets from many customers on shared hardware platforms, and these data and assets are differentiated only by new, often unproven, logical control methods. Another major, and perhaps most far-reaching, effect is that the new technology architecture to achieve this kind of economic benefit is itself an application development platform. There are few significant platform transformations in the calculation. Software has been revolutionized in the cloud, and new software has revolutionized the way business works.
Although it is difficult to refute this trend of cloud computing, there are reasons to question the timing of porting cloud computing, especially for very sensitive information and mission-critical processes. This often means that an institution makes a series of decisions over a period of time under the guidance of risk management practices and in accordance with a unique set of criteria. However, there is also the situation where external factors induce an institution to make such decisions. For example, a business partner requires cloud computing. There is no doubt that some software companies may be prompting or strongly advising their customers to support the more economical platform of cloud services. New innovative applications will only exist in the cloud. For the above reasons, CIOs should try to understand these issues and how they relate to their work. Chief information security officers are not only able to develop strategies to ensure cloud applications, but more importantly, they can really impact the direction of cloud computing industry and the capabilities of cloud service providers. Just waiting for cloud technology to mature is far from enough. Many of the chief information security officers we have communicated with have spent time making cloud service providers familiar with their enterprise-level requirements, such as service level agreements (SLAs), compliance issues, regulatory issues in specific areas, and so on. It is much easier for cloud service providers to integrate enterprise functions into services now than to modify them after the enterprise has completed the transformation.
The following information resources can help you determine your cloud strategy. The European Network and Information Security Agency (ENISA) has developed a "cloud computing risk Assessment" specification, and the forum has a "cloud cube computing Model", while the Cloud Security Alliance (CSA) publishes "Cloud Computing's focus on regional security guidance," covering 13 areas of concern. In almost all cases, the following key issues are included:
Compliance: Cloud service providers ensure that customers comply with various regulations and standards, such as PCI/DSS, HIPAA, non-compliance notification regulations, and the EU Data Confidentiality Act, etc.
Data control: Ensure that customer data has appropriate technical protection measures, is legally protected and can be used or returned to customers according to customer requirements.
Portability and interoperability: ensuring that customers ' input to any cloud, including private cloud, is ported to other clouds and maximized interoperability with other clouds to protect customer input and ensure availability of critical services.
Identity and access management: Allows customers to balance the mature IAM framework in SaaS service providers with other cloud services to maintain a wide range of system and application control capabilities while complying with regulations.
The independent certification for each cloud service provider is the inevitable result of demonstrating that the enterprise complies with various safety requirements. It is always necessary for organizations to set appropriate codes of conduct and strict vendor management for cloud service providers. However, it is unrealistic to eliminate all risks with appropriate frequency and with very careful audit measures, and suppliers are not able to receive all client auditors. Proper certification can, to some extent, ensure that the cloud service provider has a reasonable security baseline, and that it reflects the various rules that the customer must demonstrate compliance with. From a cloud service provider's point of view, investing in a smaller, but more stringent, certification is more cost-effective than responding to a large number of audit requirements. If an organization does need to audit, it is more efficient and concise to audit a certified vendor because it often narrows the scope of the audit. Many chief information security officers are increasingly concerned about the standard institutions that set up these certifications, which they consider to be overly vendor-centric.
Today, CIOs have the opportunity not only to adjust the standards and certifications that apply to cloud service providers, but also to ensure that these standards and certifications are designed to meet the requirements of their respective jobs. In fact, cloud service providers also want to understand business and regulatory compliance requirements. Whether it's building a private cloud, trying to use a public cloud, or even using a public cloud for production applications, CIOs will never have such a good opportunity to communicate their needs and embed security into cloud services.
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
