Forrester: Users need to be cautious about cloud security

The security gap in cloud computing needs to be more carefully scrutinized than traditional IT outsourcing models, according to the latest report by Forrester, a market analyst.

In traditional outsourcing mode, users place their services in other people's data centers, or by service providers to manage the devices used by the user. But in the era of cloud computing, which is rife with multi-tenant rules, where users may not know where their data is stored, or how the data is replicated, Forrester analyst Chenxi Wang in the title "How Safe is your cloud?" 》

"Cloud computing has eliminated the link between data and infrastructure, making low-level operational details more ambiguous, such as where data is stored and how it is replicated," Wang said. Although traditional IT outsourcing rarely employs a multi-tenant model, this pattern is almost dominant in cloud computing services. These differences raise a range of security and privacy issues that not only affect your risk management strategy, but also allow businesses to reassess legal issues such as compliance, auditing, and electronic discovery. ”

With the rise of SaaS services, coupled with the advent of Web platforms for creating applications and hosting servers or storage space, many people in the industry have seen the benefits and drawbacks of cloud computing.

Wang pointed out that Electronic Privacy Information Center recently complained to the Federal Trade Commission about Google, saying Google's security and factor control was inappropriate.

"Like many others, we have seen the great potential and benefits of migrating to the cloud," Wang quoted Steve Whitlock, Boeing's chief security architect, as saying. But we also see risks, security, and interoperability issues. The cloud computing industry still has a long way to go. "Because of the lack of visibility and control that makes it difficult to secure application and data security in the cloud, users must carefully evaluate the vendor's security and privacy policies."

"Companies must take these aspects into account: data protection, identity management, vulnerability management, application security, incident response, and privacy measurement," she writes. ”

For example, a user application looks for information about the vendor's encryption system, how the vendor protects static and dynamic data, authentication and access control processes, and whether the vendor has appropriate data isolation and measures to prevent data leaks.

There are many questions to ask, not just security, but also related responsibilities. Users need to sign a service-level agreement with a service provider, which requires a list of "detailed liability terms and solutions".