Introduction: Cloud computing poses security concerns. In a recent online survey conducted by Unisys Corporation, 51% of the 312 respondents said that security and data privacy were still the main factors hindering their acceptance of cloud computing. In another Unisys network survey in June 2009, 72% of respondents said security was their primary concern when moving workloads to the cloud. Do these worries make sense? or unfounded? Let's see.
Considerations about the Cloud
In adopting any new technology, it is important to judge whether it is merely fashionable or that it can indeed meet its business needs. Cloud computing is likely to save money in both hardware and software licenses, compared with the amount of computing resources you have. But just saving money doesn't necessarily mean it meets your business needs. Specifically, you must study this technology and providers to ensure that they meet the organization's security policy requirements, legal requirements (such as disclosure of information during litigation), and all legal and regulatory requirements related to the organization.
Whether cloud computing meets your business needs depends largely on the type of data that is stored, manipulated, or shared in the cloud.
If you are considering using a cloud to manage sensitive information, including personally identifiable information (PII), HIPAA or Payment card Industry (PCI) data, or any data that is highly confidential or valuable to your organization, you should study the security policies associated with such data. For example, if you are storing credit card numbers, the security policy reflects the PCI requirements, and cardholder data must be encrypted when it is transmitted over a public network or in a static store, such as in a file or spreadsheet. If you plan to send PCI to the cloud or any other data that needs to be encrypted, ask the provider if it can meet the encryption requirements. Also, don't forget to encrypt key management requirements. Also make sure that access controls are set on these objects and are set to deny access by default.
You should ask the provider for security practices. I will ask the following questions:
Does the administrator (root user) access only the data that is required for the job? Does an administrator access a server through an encrypted session? What is the patch management strategy? Do you want to run antivirus and malware protection software? Does the server's configuration meet the requirements of PCI, HIPAA, Oxley, or other laws and regulations that you must meet? What are the password requirements and composition rules? Can I set the password rule to match the needs of the organization?
Most organizations have security policies that require certain processing when a staff member is dismissed or separated. Within the organization, these operations are performed while the employee is away. You should ask the cloud provider if they can quickly identify and close the accounts of these former employees and ensure that they are immediately removed from their access rights.
Another question that should be asked is what kind of logging the provider performs. Many laws and regulations often require the execution of a level of logging (audit). The organization's security policy may require logging administrator actions, authorization failures, health state data reads, failed logon attempts, and so on.
Another aspect to consider is that if a cloud provider is targeted, your organization's information could fall into the hands of hackers. Poor configuration makes it easy for hackers to access an organization's network, which is why some intrusions have been successful. However, some intrusions were found due to data value or number of reasons. (Consider the attack on the credit card processing agency Heartland Payment Bae, one of the biggest data leaks in history.) Although it is fairly easy to avoid part of the attack by choosing the appropriate security settings (only with more secure settings, the hacker is likely to turn to another target), but defending a purposeful attack is like a war with hackers. Because cloud providers store large amounts of data, they may be targeted for purposeful attacks. If the information stored in the cloud is stolen, how much will your organization lose? There may be no loss, but it will be annoying. However, depending on the type of data, it can also be costly (for example, to disclose trade secrets) or to show the need to implement an intrusion notification plan.
A provider may also be a target for a denial-of-service attack. Consider how much impact your organization would have if the services or data stored in the cloud were not available.
If your organization is at a disadvantage in litigation, it may be necessary to submit some electronic data in the course of information disclosure. This is often referred to as electronic Disclosure (e-discovery), and data may include e-mail, databases, documents, and instant chat records. Before you use the cloud to provide e-mail services, you should check your provider's data retention policies. It should be consistent with the Organization's policies, and the time to keep the data should not be too short or too long. You also need to understand the processes required to obtain data, including the additional costs to be paid.
Another aspect to study is data privacy. Some states in the U.S. have special requirements for data privacy. If your organization is doing business in Europe, consider whether data storage will violate the EU data homeowner standards. Keep in mind that when sending data to the cloud, the server where the data is stored may be located anywhere. Cross-border transmission of data may violate privacy laws.
Finally, you should ensure the security of the virtual machine (VM) technology and configuration. If you want to send PII or PCI data to the cloud, you must ensure that the data is inaccessible to people who are not authorized. If you don't want to share a server with someone, you should consider requiring your organization to have its own server in the cloud. In this case, the user in the organization can still use the cloud, and if the VM is compromised, it can at least be determined that the people inside the organization are doing it.
Instead of putting data in a public cloud, some organizations create private clouds. This allows them to enjoy some of the benefits of the cloud while maintaining the ability to control the above security issues.
These security and compliance issues contributed to the establishment of the Cloud Secure Alliance (www.cloudsecurityalliance.org), which aims to define and promote best practices for protecting cloud computing. There is another organization Open Cloud Manifesto (http://opencloudmanifesto.org), IBM is its supporter, and the goal of this organization is to ensure the security of the cloud to meet the needs of the organization.
The security benefits of the cloud
Cloud computing is not entirely without merit in terms of security. Many small companies cannot afford security features, but cloud providers can. For example, most small and medium-sized organizations do not have the resources needed to implement a Security Operations center (SOC). The SOC can bring together events and information from various parts of the organization, perform real-time analysis, alert external threats and/or implement defensive measures. Cloud providers may have a SOC that helps defend against and respond to security attacks. There are usually professional security experts who oversee their operations. With these dedicated resources, they are able to respond more promptly to the latest threats and apply the latest security patches.
Don't be afraid of the clouds
I'm not saying that cloud computing is unsafe and should not be used. Not at all. I used to use the Google spreadsheet to save a project's to-do list, which has a UK business partner. This approach is much more efficient than any method we've used. However, the spreadsheet does not contain any confidential data. If the server that stores it is compromised or unavailable, it will not violate the organization's security policy or any laws and regulations.
I want you to consider the types of data that your organization manages, update the data classification section of your security policy, and make rules for whether data can be sent to the cloud. Then, the corresponding education in the organization. Like many cool new technologies, employees may enjoy the benefits of cloud computing without knowing that it is inappropriate to send some data to the cloud, and that only certain types of data are allowed to be sent.
Be sure to consider and take appropriate measures to protect your organization's data, but don't be afraid of the cloud.