The consensus, resonance and challenge of cloud computing security

It goes without saying that cloud computing is still a rapidly changing field, either at the forefront or behind. October 18, 2010, the Ministry of Industry and the Development and Reform Commission to write cloud computing and virtualization into the "Twelve-Five" strategic planning, to determine in Beijing, Shanghai, Shenzhen, Hangzhou and Wuxi, five cities in the first to carry out cloud computing services innovation and development pilot demonstration work. Looking away, we need to capture the opportunities that cloud computing brings, continuous and rapid change of thinking, optimization of processes, search for methods, change technology; In the near view, the process of migrating to cloud computing provides us with new opportunities to re-examine and plan the relevance of existing infrastructure, applications, and business. As with any new concept and technology, cloud computing, whether Yuan Mou or near-thinking, brings new opportunities and creates new risks, and the unexpected security risks outweigh the current security needs of the enterprise. When you think about choosing whether to choose cloud computing, what is the safe place and worry? This article will discuss the problem of cloud computing security with you through what we have seen and heard, in order to resonate with you.

Consensus: cloud computing is a security opportunity

Whether it is the broad sense of cloud computing security, or the narrow sense of cloud security. At present, the common consensus is that cloud computing is a security technology innovation and development opportunities, in the cloud is not as hot as today, the definition of narrow cloud security has been the wind, as security vendors to show their own security technology systems, architecture leading stage. With the concept of cloud, the reliability, scale, accumulation and thinking of the service mode of the security manufacturer's own technology and architecture become the key words they often hang on the mouth. Industry is also experiencing the cloud is the security of the disaster, or security opportunities after the hesitation, the convergence of views gradually. While security is still one of the primary concerns of companies entering the cloud computing environment, the opportunity that cloud computing brings to security is already a consensus among industry and manufacturers.

Empathy: Confidence and patience to unload the burden of cloud computing

Whether it's choosing a cloud service, building a private cloud, or migrating an existing infrastructure to the cloud. First, there is a need for confidence in this emerging technology concept, and many reports from 2010-2011 show that many companies are wary of cloud computing due to security concerns, but attitudes towards security are changing. The 2010 Harris survey showed that more than 81% of users were concerned about the security of cloud services, and that cloud computing was generally considered a lack of security. and by the year 2011, a number of surveys show that companies are starting to pick up the proportion of cloud computing, and Symantec's Cloud Survey report shows 88% of respondents are confident of moving into cloud computing without affecting information security, although only a very small percentage (15%-18%) thinks it is ready to transition to the cloud , though saying much to do less, but according to the survey, for example, companies choose Mail Security, IM security, and other security cloud services than other cloud services, from security concerns to the current security expectations of the assessment, security caused the company's cautious attitude towards cloud computing is changing.

There are also a number of data from cloud survey reports that show the company's love for cloud computing. While security concerns persist, more worries are emerging about the effectiveness, availability, assessment of the cloud services, and whether the IT department's control of the system will lead to job losses, and the baggage and haze of security from the birth of cloud is being dispelled.

And cloud computing cannot happen overnight, so the enterprise and the whole industry must have the patience to walk the process, from the whole industry progress, it may be many companies spend more than 6-7 years, less 3-5 years to transition, and the goal is not simply to move the data center to the public cloud or into a private cloud. The same is true of security, cloud computing technology architecture, platform, terminal computing, each level can not ignore security, each level has security, including management also need security, security is not fragmented, not a certain aspect of security considerations for once and for all. Therefore, the need to look at the existing architecture from all levels to the security system phase, including traditional components, infrastructure, technology applications, development, and so on, when the new application methods appear, is a great challenge to security, if not well handled will bring unpredictable consequences. For example, new and old applications, and the cloud and the existing security architecture compatibility issues? Is the data in the cloud and the local risks and compliance issues completely different? What is the migration strategy and how does security policy control dynamic change during migration? Virtualization breaks down physical hard binding, mobile data and applications, security considerations?

Resonance: Changes in the attribution of security responsibility

Based on the definition of cloud computing security in the cloud computing Critical area Security Guide released by the CSA Cloud Security Alliance, the main part of security control in cloud computing is not much different from the security controls in other IT environments, but according to the cloud service model, operating mode, and technology that provides cloud services for the enterprise, Cloud computing may face different risks than traditional IT solutions.

As mentioned above, the company's cautious approach to cloud computing security has shifted to other concerns, such as cloud efficiency, usability, as the cloud has deepened. One of the major attractions of cloud computing is the economic scalability, the cost efficiencies provided by standardization, in order to support this cost efficiency, the services and solutions provided by the cloud provider must be flexible enough to serve the maximum possible number of users and maximize the enterprise's market, while security integration into these service scenarios will harden the solution. While security is only one reason for the rigidity of cloud services, security integration is essential compared to the risks faced by data and information. So clear accountability, clear enterprise security status of maturity, is the level of effective security control is particularly important.

The security responsibilities given by CSA are classified according to the cloud service model: In SaaS environments, security controls and their scope are negotiated in service contracts, service levels, privacy, and compliance are also stated in the contract. In IaaS, the security of low-level infrastructure and abstraction layers is the responsibility of the provider and the other responsibilities belong to the customer. PAAs is between the two, the provider for the platform itself to provide security, security on the platform and how to safely develop these applications for the customer's responsibility.

Resonance: Private cloud and public cloud who is safer

The first thing to understand is the definition of a public cloud and a private cloud, which is provided by a cloud service provider whose cloud infrastructure, platform, or application serves the public or enterprise. The infrastructure, platform, and applications of private cloud are for the enterprise to operate and service, and the enterprise itself is responsible for management. Of course, enterprises can also be built from the private cloud at the same time, some businesses can choose the public cloud services to provide support, this is the concept of mixed cloud.

In short, the private cloud is in the business department, there are clear boundaries, we can think that the private cloud is more secure? As CSA defines cloud computing security, the main part of cloud computing security control is no different from the traditional IT environment's security controls. A more realistic understanding, public cloud providers to maintain the security of their cloud environment, but it provides the public cloud services, private cloud is the enterprise to maintain their own cloud security, to provide their own cloud services. The security issues they face are all based on the nature of cloud computing, the dynamic nature of virtualization means that even private clouds, if a virtual machine in a cloud environment poses a security threat, the communication between virtual machines can be compromised, and the traditional security architecture and defenses of the enterprise may be easily crossed, So is the security boundary of the enterprise private cloud needed to change dynamically, or is it a challenge like traditional security boundaries?

At the same time, enterprises are constantly upgrading the level of their security systems, that is, the construction of advanced security systems. Then such systems need to be trusted, based on reputation, IntelliSense, background perception, automated management, dynamic deployment of security policies, and so on. In short, completely break the artificial safety of the update, maintenance, management, as far as possible to save labor costs. Then the problem arises, the ability to meet the security automation of the cloud and the current enterprise's artificial security practices do not match, enterprises are forced to comply with the automation requirements of the cloud, strong security automation, or wait for technology to further improve the security and cloud infrastructure before the full match, balance more conditions and factors? As far as I know, in the future release of the new version of "Cloud computing key areas of security Guide," There will be a special topic to discuss the security of corporate private cloud content.

Look at the public cloud, V2.1 in the cloud computing key area Security Guide. Most of the content categories involved in cloud computing security are related to the security of the public cloud, as mentioned above in the different cloud service patterns. Companies may ask why they have to take responsibility for the cloud environment, even if they choose the public cloud service, and still stubbornly believe that the private cloud is more secure than the public cloud. Frankly, if the enterprise decides to choose the service of the public cloud, the first step is to fully trust the security technology and capabilities of the cloud supplier, and to identify with the supplier the scope of the security of their respective areas of safety, and to the greatest extent possible the enterprise itself needs to maintain the security content to be perfected; not when faced with the public cloud, vague responsibilities, Not to fulfill the responsibility of the enterprise itself.

To sum up, private cloud, even within the scope of enterprise control, if used poorly, still face the challenge of security threats, public cloud if with the supplier, through reasonable division and cooperation, can also achieve better security.

In the "Cloud computing Critical Area Security Guide" V2.1, 12 key areas of cloud computing security control range, divided into governance and operation. Governance components include governance and enterprise risk management, discovery of legal and electronic evidence, compliance and auditing, information lifecycle management, portability, and interoperability. Operational components include: traditional security, business continuity and disaster recovery, data center operations, event response, notification and remediation, application security, encryption and key management, identity and access management, virtualization. The detailed management and operation suggestions are given.

(Responsible editor: The good of the Legacy)