The hustle and bustle surrounding cloud computing may make you think that tomorrow there will be a large-scale adoption of cloud computing. However, research from various fields has shown that cloud security is the biggest obstacle to the massive adoption of cloud computing. The reality is that cloud computing is just another natural progression along the path of technology evolution along host, client / server and web applications, etc. http://www.aliyun.com/zixun/aggregation/6324.html " So, as with all other phases, it has its own security issues as well.
Of course, security concerns do not stop the use of these technologies, nor do they prevent the adoption of cloud-based applications that address the real business needs. In order to ensure that the cloud is secure, it needs to be treated as the next evolution of technology, not as a revolution that requires a radical change in the security model. Security policies and procedures need to be tuned to the cloud model in preparation for the adoption of cloud services. As with other technologies, we've seen early adopters dispel mistrust of cloud patterns by taking the lead in deploying private clouds or experimenting with noncritical applications in the public cloud.
Businesses and organizations ask a lot of questions and weigh the pros and cons of using cloud computing solutions. Security, availability, and manageability are all things to consider. What this article refers to is the 10 security-related questions the organization should consider, answering these questions helps businesses and organizations decide whether they need to deploy the cloud, and what cloud models to adopt if they need to be deployed - Private, public or hybrid cloud?
How does cloud deployment change enterprise risk management?
Deploying cloud computing - whether private or public - means you no longer have complete control over your environment, data, or people. Changes in control lead to a change in risk management - in some cases the risk increases, while in others the risk may be reduced. Some cloud applications are completely transparent to you, provide advanced reporting capabilities, and integrate with your existing systems. Such applications reduce the risk for the business. Other cloud applications may not be able to improve their security configuration and can not match the existing security measures of the enterprise, which may increase the security risk. All in all, it is logical that the corporate data and its level of sensitivity will ultimately determine which cloud model to adopt.
2. What needs to be done to ensure that existing security policies accept cloud patterns?
The move to the cloud model is an opportunity to improve the overall security posture and security strategy for your business. Early adopters of cloud applications will have an impact and help drive the security model implemented by cloud providers. Instead of creating new security policies for the cloud, enterprises should extend existing security policies to accommodate new cloud platforms. In order to deploy the cloud and modify the security policy, it is necessary to consider some of the same factors as before: the data stored where, how to protect the data, who can access the data, what regulatory compliance, and service level agreements and so on.
3 cloud deployment will damage the ability of corporate compliance?
Cloud deployment alters the risk profile of the business and can therefore affect the ability of the business to adapt to various regulatory compliance. This requires that regulatory compliance needs to be re-evaluated when compliance needs to be associated with cloud deployments. Some cloud applications have strong reporting capabilities that can be tailored to meet specific compliance needs, while others are more generic, less likely, or less responsive to detailed compliance needs. For example, if the laws of a country stipulate that the data of an enterprise should not be stored outside the borders, some cloud providers may not be able to meet the requirements of this regulation because of the location of their data center.
4. Are cloud providers using some kind of security standard (SAML, WS-Trust, ISO, or others)?
Standards play a very important role in cloud computing because interoperability among cloud services is crucial to ensuring that the cloud does not get patented. A number of organizations have created and expanded various standards-based initiatives that support the cloud. Cloud-standards.Org lists most of the standards-based organizations that are relevant to cloud computing, including those related to cloud security standards.
5. What should I do if a data leak occurs?
When enterprises plan cloud security, they must properly formulate a plan to prevent data leakage and data loss. This is a crucial point when signing an overall agreement with a cloud service provider. Both cloud providers and businesses should establish data leakage notification policies or regulatory rules that must be followed. Businesses must urge cloud providers to support corporate notification needs whenever they need it.
6. In the protection of corporate data security, who is responsible? Or who should be regarded as the main responsibility?
In reality, the responsibility for safety will be shared by both parties. However, it appears to the public opinion courts, at least for today, that businesses, rather than cloud providers, are responsible for collecting data and therefore only the business should be considered as the ultimate owner of information security. If the agreement between the enterprise and the cloud provider sign does not leak, perhaps companies can take less responsibility, and cloud providers share responsibility, but from the perspective of corporate customers, the enterprise will still be considered the ultimate owner.
7. How to ensure that only the appropriate data stored in the cloud?
It is important for organizations to understand what data is sensitive to data and to build the proper security model based on the criticality of the data and the application, which is important to understand what data can be stored in the cloud. This process should start long before you consider cloud deployments as this is a key part of good security practices. Many businesses use data-loss prevention techniques to categorize and tag data.
8. How to ensure that only authorized employees, partners and customers can access data and applications?
Identity management and access management are pre-existing security challenges that can be magnified in cloud deployments with technical capabilities such as federalism, secure virtualization systems, and provisioning all playing a role in cloud security just as they In today's IT platform to play the same role. Expanding and complementing your organization's existing environment to support cloud deployments will help to solve this problem.
9. How to host enterprise data and applications, what kind of security technology is appropriate?
The cloud provider should provide this information as it directly affects the ability of an organization to comply with regulations. Transparency is both important and necessary, as it allows businesses to make informed decisions based on their knowledge of the situation.
10. What factors can companies understand and trust cloud providers?
There are many factors to consider when evaluating the trust level of a cloud provider. Many of these factors are related to the factors that businesses consider when considering outsourcing contracts, such as: Are providers and their services mature; types of contracts, SLAs, vulnerabilities and security policies; performance records of providers; Forward-looking strategy and more.
Moving to a new computing platform is by no means a matter of making decisions without much thought. The answers to these questions are complex and often lead to more questions. This article also touches on some of the shallow security issues that come with revisiting the cloud platform.
In addition, companies should also understand that they have the ability to promote the development of security technologies used in the cloud. It should be understood that cloud consumers can, should and should expect them to take on security responsibilities, making the cloud a truly secure platform that can save costs and increase productivity.
(Editor: Shi Bo-peng)