Cloud Computing – Managing risk within the cloud [LockBOX]

The first installment of Securing the Enterprise – LockBOX

HOW DO I MANAGE RISK WITHIN THE CLOUD?

Cloud computing is becoming one of the hottest trends in the enterprise, and information security practitioners, like myself, must understand the significant changes from the implementation of the cloud and the enterprise risk that results. The evolution of cloud computing is ongoing and every vendor, both old and new, are jumping on board by offering cloud-this or v-that, resulting in an increased level of difficulty for the security conscious to decipher the security ramifications of the cloud within the enterprise, short or long term. In this blog series we will review how a public cloud alters the risk within an organization and how security professionals should get ready for their own companies to make this move into the cloud. Governance is always a concern within companies which have a need for compliance, so we will also discuss those frameworks and what modifications need to happen in order to maintain secure cloud integrity.

HOW DOES THE CLOUD INFLUENCE SECURITY?

Today’s cloud is not so much about different technology than it is about a different business model requiring the sharing of resources. Think about it, everything is now being shared in a cloud model; shared storage, shared CPU, shared memory, shared physical servers, shared networking, everything is based upon lowering costs by making more use of the resources that we invest in. Shared resources gives a company greater business agility which is the ability of a business to adapt rapidly and cost efficiently in response to changes in the business environment. Business agility can be maintained by maintaining and adapting goods and services to meet customer demands, adjusting to the changes in a business environment and taking advantage of human resources. Virtualization accomplishes this in a way that no other business model has in recent past. Along the same lines, this places a significant focus upon enterprise security and the demand for evaluation with corporate governance. Here are some examples of these security challenges with the public cloud architecture today:

Indistinct trust boundaries exist: If you have ever been in the military you understand the concept of protecting your perimeter. Security professionals know where their trust boundaries are in the perimeters of the traditional (non-cloud) IT organization. This becomes convoluted and unclear with the introduction of cloud computing and designation of trust boundaries and responsibilities for the interactions between company and cloud service providers. Are your security standards as good as or better than the people that you are doing close business with, and where does your responsibility end and those of the service provider begin? I would decree that these responsibilities change between each provider just as the Service Level Agreements do and, on top of that, responsibilities depending upon which cloud computing’s service delivery model that you have selected; SPI (Software-as-a-Service, Platform-as-a-Service, and Infrastructure-as-a-Service). Meaning that the responsibilities between you and you provider are different for PaaS than for SaaS. There is confusion circulating about trust boundaries within a cloud environment and this is the primary reason that information security practitioners are concerned about the security of cloud computing, along with current cloud service providers’ general lack of transparency about their security.

Here are some other concerns that we will discuss and address in a later blog, along with how to prepare yourself for the impending cloud:

•    Data separation concerns

•    Increased network exposure

•    Increased application exposure

•    No established governance model

 

 

 

    

 

Advertisement