Gartner: Building a high level cloud security baseline

Heiser, vice president of Gartner Research, said that achieving a high level of http://www.aliyun.com/zixun/aggregation/13634.html "> Cloud computing Security still requires a long and arduous effort." He said companies and government organizations with sensitive data could be evacuated from cloud services until security in cloud computing improved.

"Financial institutions are more conservative than small businesses in cloud computing," says Heiser. "In addition, he believes that the use of infrastructure, i.e. services, is more likely to establish a security baseline than software or services because of more flexibility and less reliance on service providers." Overall, however, cloud service providers are not very clear about their business continuity and disaster recovery practices, making it difficult for them to win the trust of their customers.

Gartner's customers are generally disappointed by the incompleteness of cloud-computing contracts, and they are not seeing the security-related regulations they expect in their contracts.

It is difficult to define technical and legal obligations between cloud computing and customers, not only the US federal government in its FedRAMP program (looking for a cloud service provider for government services), but also the Cloud Security Alliance (CSA), which has set up several working groups to define industry standards.

While many organizations are trying to improve the security of cloud computing, and all of these cloud-computing security efforts are worthwhile, these standards take a year to five years to mature.

During this time, businesses and governments identify their needs and assess potential cloud services and their security options as much as possible. First, you should check the confidentiality of the data entering its cloud service.

While the most mature and available security controls in the cloud computing landscape involve identity and access management mechanisms and server-based encryption, cloud service customers should ask the vendor how the encryption key is managed and stored and determine whether the risk is acceptable. Forensics is not currently viable, and it may take 5-10 years to see "strong technology" for cloud computing from overall security controls.

The economic attractiveness of cloud computing is strong, and sometimes economic benefits seem to be about potential risks. Gartner advises customers to consider putting low-sensitivity data into cloud services, and companies must conduct risk assessments for "medium" sensitive data. For highly sensitive data, you should not consider putting it into the cloud service.

Cloud service providers rarely provide any compensation for attacks. And, given that cloud vendors may be leaving the cloud, customers need to ensure that the vendor can return data or have a backup contingency plan. Heiser points out that when Mumboe SaaS closed two years ago, they gave customers two weeks to retrieve the data. This is a wake-up call to customers that cloud services may suddenly "disappear" and that customers should be prepared for this.

Even some household-name cloud service providers (Amazon, Google and Microsoft) may also have data disappearing, at least for a period of time, or disappear forever. "Recovery is not a simple process that puts service loss and availability at the top of your list," Heiser said. In addition, he notes that real-time service upgrades can lead to extensive data corruption.

IT managers are accustomed to thinking that they have control over what they can do for applications, services, servers, storage, and networking, but they need to be fully aware that, depending on the nature of cloud computing, the flexibility of this habit does not exist in cloud computing.

(Responsible editor: Fumingli)