The consensus, resonance and challenge of cloud computing security

Source: Internet
Author: User
Keywords Security Cloud Computing
Looking away, we need to capture the opportunities that cloud computing brings, continuous and rapid change of thinking, optimization of processes, search for methods, change technology; In the near view, the process of migrating to cloud computing provides us with new opportunities to re-examine and plan the relevance of existing infrastructure, applications, and business. As with any new concept and technology, cloud computing, whether Yuan Mou or near-thinking, brings new opportunities and creates new risks, and the unexpected security risks outweigh the current security needs of the enterprise. When you think about choosing whether to choose cloud computing, what is the safe place and worry? This article will discuss the problem of cloud computing security with you through what we have seen and heard, in order to resonate with you.


  


consensus: Cloud computing is a security opportunity


  


whether it is the broad sense of cloud computing security, or the narrow sense of cloud security. At present, the common consensus is that cloud computing is a security technology innovation and development opportunities, in the cloud is not as hot as today, the definition of narrow cloud security has been the wind, as security vendors to show their own security technology systems, architecture leading stage. With the concept of cloud, the reliability, scale, accumulation and thinking of the service mode of the security manufacturer's own technology and architecture become the key words they often hang on the mouth. Industry is also experiencing the cloud is the security of the disaster, or security opportunities after the hesitation, the convergence of views gradually. While security is still one of the primary concerns of companies entering the cloud computing environment, the opportunity that cloud computing brings to security is already a consensus among industry and manufacturers.


  


resonance: Confidence and patience unload the burden on cloud computing


  


Whether it's choosing a cloud service, building a private cloud, or migrating an existing infrastructure to the cloud. First, there is a need for confidence in this emerging technology concept, and many reports from 2010-2011 show that many companies are wary of cloud computing due to security concerns, but attitudes towards security are changing. The 2010 Harris survey showed that more than 81% of users were concerned about the security of cloud services, and that cloud computing was generally considered a lack of security. and by the year 2011, a number of surveys show that companies are starting to pick up the proportion of cloud computing, and Symantec's Cloud Survey report shows 88% of respondents are confident of moving into cloud computing without affecting information security, although only a very small percentage (15%-18%) thinks it is ready to transition to the cloud , though saying much to do less, but according to the survey, for example, companies choose Mail Security, IM security, and other security cloud services than other cloud services, from security concerns to the current security expectations of the assessment, security caused the company's cautious attitude towards cloud computing is changing.


  


also has data from a number of cloud-computing research reports, and shows a firm's fondness for cloud computing. While security concerns persist, more worries are emerging about the effectiveness, availability, assessment of the cloud services, and whether the IT department's control of the system will lead to job losses, and the baggage and haze of security from the birth of cloud is being dispelled.


  


at the same time cloud computing cannot happen overnight so the enterprise and the whole industry must have the patience to walk the process, from the whole industry progress, it may be many companies spend more than 6-7 years, less 3-5 years to transition, and the goal is not simply to move the data center to the public cloud or into a private cloud. The same is true of security, cloud computing technology architecture, platform, terminal computing, each level can not ignore security, each level has security, including management also need security, security is not fragmented, not a certain aspect of security considerations for once and for all. Therefore, the need to look at the existing architecture from all levels to the security system phase, including traditional components, infrastructure, technology applications, development, and so on, when the new application methods appear, is a great challenge to security, if not well handled will bring unpredictable consequences. For example, new and old applications, and the cloud and the existing security architecture compatibility issues? is the data in the cloud and the local risks and compliance issues completely different? What is the migration strategy and how does security policy control dynamic change during migration? Virtualization breaks down physical hard binding, mobile data and applications, security considerations?


  


resonance: Changes in the attribution of security responsibility





the definition of cloud computing security based on the security Guide to cloud computing critical areas, released by the CSA Cloud Security Alliance, the main part of security control in cloud computing is not much different from the security controls in other IT environments, but depending on the cloud service model, the operating mode, and the technology that provides the cloud services that the enterprise uses, Cloud computing may face different risks than traditional IT solutions.


  


as described above, the company's cautious approach to cloud computing security has shifted to other concerns, such as cloud efficiency and usability, as the cloud progresses. One of the major attractions of cloud computing is the economic scalability, the cost efficiencies provided by standardization, in order to support this cost efficiency, the services and solutions provided by the cloud provider must be flexible enough to serve the maximum possible number of users and maximize the enterprise's market, while security integration into these service scenarios will harden the solution. While security is only one reason for the rigidity of cloud services, security integration is essential compared to the risks faced by data and information. So clear accountability, clear enterprise security status of maturity, is the level of effective security control is particularly important.


  

The security responsibilities given by
CSA are divided according to the cloud service model: In SaaS environments, security controls and their scope are negotiated in service contracts, service levels, privacy, and compliance are also stated in the contract. In IaaS, the security of low-level infrastructure and abstraction layers is the responsibility of the provider and the other responsibilities belong to the customer. PAAs is between the two, the provider for the platform itself to provide security, security on the platform and how to safely develop these applications for the customer's responsibility.


  


resonance: Private cloud and public cloud who is safer


  


must first understand the definition of public and private clouds, which are provided by cloud service providers whose cloud infrastructure, platforms or applications serve the public or enterprise. The infrastructure, platform, and applications of private cloud are for the enterprise to operate and service, and the enterprise itself is responsible for management. Of course, enterprises can also be built from the private cloud at the same time, some businesses can choose the public cloud services to provide support, this is the concept of mixed cloud.


  


In short, the private cloud is in the business department, there are clear boundaries, we can think that the private cloud is more secure? As CSA defines cloud computing security, the main part of cloud computing security control is no different from the traditional IT environment's security controls. A more realistic understanding, public cloud providers to maintain the security of their cloud environment, but it provides the public cloud services, private cloud is the enterprise to maintain their own cloud security, to provide their own cloud services. The security issues they face are all based on the nature of cloud computing, the dynamic nature of virtualization means that even private clouds, if a virtual machine in a cloud environment poses a security threat, the communication between virtual machines can be compromised, and the traditional security architecture and defenses of the enterprise may be easily crossed, So is the security boundary of the enterprise private cloud needed to change dynamically, or is it a challenge like traditional security boundaries?


  


at the same time, companies are constantly upgrading the level of their security systems, the building of advanced security systems. Then such systems need to be trusted, based on reputation, IntelliSense, background perception, automated management, dynamic deployment of security policies, and so on. In short, completely break the artificial safety of the update, maintenance, management, as far as possible to save labor costs. Then the problem arises, the ability to meet the security automation of the cloud and the current enterprise's artificial security practices do not match, enterprises are forced to comply with the automation requirements of the cloud, strong security automation, or wait for technology to further improve the security and cloud infrastructure before the full match, balance more conditions and factors? As far as I know, In a future release of the new version of the Security Guide for cloud computing critical areas, there will be a special topic to discuss the security of private cloud in the enterprise.


  


to see the public cloud, in the cloud computing key areas of security Guide V2.1. Most of the content categories involved in cloud computing security are related to the security of the public cloud, as mentioned above in the different cloud service patterns. Companies may ask why they have to take responsibility for the cloud environment, even if they choose the public cloud service, and still stubbornly believe that the private cloud is more secure than the public cloud. Frankly, if the enterprise decides to choose the service of the public cloud, the first step is to fully trust the security technology and capabilities of the cloud supplier, and to identify with the supplier the scope of the security of their respective areas of safety, and to the greatest extent possible the enterprise itself needs to maintain the security content to be perfected; not when faced with the public cloud, vague responsibilities, Not to fulfill the responsibility of the enterprise itself.


  


concluded that the private cloud, even within the scope of enterprise control, if poorly used, still faces the challenge of security threats, public cloud if with the supplier, through reasonable division and cooperation, can also achieve better security.


  


in the "cloud computing Critical Area Security Guide" V2.1, the 12 key areas of cloud computing security control range, divided into governance and operation. Governance components include governance and enterprise risk management, discovery of legal and electronic evidence, compliance and auditing, information lifecycle management, portability, and interoperability. Operational components include: traditional security, business continuity and disaster recovery, data center operations, event response, notification and remediation, application security, encryption and key management, identity and access management, virtualization. And the detailed management and operation suggestions are given.


  


Challenge: The similarities and differences and challenges of cloud computing security and traditional security


  


Why do we say cloud computing security is not the same as traditional security? Now let's look at the similarities and differences between them. The same point: the first goal is the same, the protection of information, data security and integrity, the second protection object is the same, protection of computing, network, storage resources security; The third technology is similar, such as the traditional encryption and decryption technology, security detection technology. Different points: For example, the security problems caused by cloud computing service model, the technology and management problems caused by virtualization.


  


So what are the security threats that cloud computing security faces? Mainly from three aspects of technology, management and legal risk. Challenges include:


  


1. Data concentration, aggregation of users, applications and data resources more convenient for hackers to launch centralized attacks, once the accident has a wide range of effects, serious consequences.


  


2. The traditional protection mechanism based on physical security boundary is difficult to be applied effectively in cloud computing environment.


  


3. Cloud based business model, the protection of data security put forward higher requirements.


  


4. Cloud computing system is very large, when there is a failure, if the rapid positioning of the problem, the challenge is great.


  


5. The openness of cloud computing puts forward new requirements for interface security.


  


6. In terms of management, the challenge lies in the right to management, the management and ownership of cloud computing data are separated, such as whether public cloud services provide some highly privileged management of suppliers, and the need for security to be agreed between companies and service providers, as well as some issues of synergy and management. For example, when the attack of the linkage, the operation of the management model put forward some requirements, as well as regulatory challenges.


  


7. The issue of legal risk is primarily regional. Cloud computing application has caused the regional weak, the information fluidity is big characteristic, in the information security supervision, the privacy protection and so on may have the legal risk.


  


Summary


  


virtualization and security are two of the most closely related technologies associated with the emergence of cloud computing concepts, and the two are closely linked, virtualization to the security of rethinking and building natural conditions, in turn, security technology for virtualization dynamic protection can accelerate its deployment and enterprise acceptance of the pace, they will greatly promote the rapid development of cloud computing. If the cloud computing boom, which technology is the most calm, the first push security. It is because of the industry, the user's near-harsh concerns, so that the development of cloud computing security is pragmatic, but also very practical. Regardless of enterprise and user's acceptance of cloud computing, is the need for cloud effect, or security really let the enterprise relieved, the reality is cloud computing security maturity still have a great distance, apply an idiom "cloud computing has not been successful, security still need to work hard." ”
Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.