Cloud Computing Security
Cloud Computing Security
History of Cloud Computing Security
Early Events
There have been a few scares – however founded or unfounded – regarding cloud computing security.
In one high profile example one of the biggest names on the internet, Amazon, was also one of the first to offer Cloud Computing products. However their Amazon Web Services received some bad publicity due to services suffering outages. Amazon Web Services have also been used to deliver of spam and viruses, and consequently have been blacklisted and blocked by a number of websites.
As a result of events such as these, a number of initiatives have been started in order to improve both cloud computing security itself, and also the general perception of cloud computing security overall.
One such initiative is the Cloud Security Alliance, that has the following organisation and objectives:
The Cloud Security Alliance is a non-profit organization formed to promote the use of best practices for providing security assurance within Cloud Computing, and provide education on the uses of Cloud Computing to help secure all other forms of computing.
The Cloud Security Alliance is comprised of many subject matter experts from a wide variety disciplines, united in our objectives:
- Promote a common level of understanding between the consumers and providers of cloud computing regarding the necessary security requirements and attestation of assurance.
- Promote independent research into best practices for cloud computing security.
- Launch awareness campaigns and educational programs on the appropriate uses of cloud computing and cloud security solutions.
- Create consensus lists of issues and guidance for cloud security assurance.
Aspects of Cloud Computing Security
Security and Privacy
Data security is the practice of ensuring that data is kept safe from corruption and that access to it is suitably controlled. Data privacy is the practice of ensuring that the collection and dissemination of data meets with both the public expectation of privacy, and the associated legal obligations.
Data Protection
Data protection is the practice of properly segregating data from one customer from that of another. The Data must be stored securely at all times, whether “at rest” moving from one physical or electronic location to another. Cloud Computing vendors should take steps to ensure data is not ‘leaked’ or accessed by third parties, and that audit trail cannot be compromised by users, however privileged, at the vendors location.
Identity Management
Identity management is the practice of managing identities, including but not limited to:
- Establishing the identity; Initially linking an identity, e.g. name or number, with the subject or object; Updating that identity as required throughout its lifetime.
- Describing the identity; assigning attributes of the particular subject or object to the identity; Updating the attributes as required throughout the identity’s lifetime.
- Logs identity activity; Recording access to logs of identity activity; Providing the ability to analyze behaviour patterns of the identity
- Properly destroying the identity at the end of its lifetime.
Physical and Personnel Security
Physical and Personnel Security is the practice of ensuring that all elements of the cloud computing system are physically secure, and that any physical or electronic access to these elements and relevant customer data by vendor personnel is adequately and appropriately restricted and documented.
Availability
Availability is the practice of vendors meeting their obligations to provide customers with regular and predictable access to the specified cloud computing resources.
Application Security
Application security is the practice of eliminating or at least minimising vulnerabilities through the appropriate interventions during the design, development, deployment, upgrade, and maintenance of the application.
Privacy
Privacy is the practice of vendors ensuring that any critical data – e.g. credit card numbers – are cloaked and that only appropriately authorized users have access to complete data, and that customer identities, credentials, and records of customer activity must be similarly protected.
Compliance
Compliance is the practice of vendors ensuring that both they their customers can comply with the various regulations relating to the storage and use of data – e.g. Payment Card Industry Data Security Standard (PCI DSS); the Health Insurance Portability and Accountability Act (HIPAA); the Sarbanes-Oxley Act – by providing, or allowing for, facilities to complete any regulatory requirements, such as reporting and audit trails.
Business Continuity and Data Recovery
Cloud computing product vendors should have business continuity and data recovery plans in place to ensure that service can be maintained in case of disaster or emergency.
Business Continuity
Business continuity planning (BCP) is the practice of “planning which identifies the organization’s exposure to internal and external threats and synthesizes hard and soft assets to provide effective prevention and recovery for the organization, whilst maintaining competitive advantage and value system integrity”.
Data Recovery
Data recovery is the practice of salvaging data from secondary storage media when it cannot be accessed normally – e.g. due to physical or logical damage to the storage device or file system.
Logs and Audit
Is the process of vendors ensuring that logs and audit trails are properly secured, maintained for required period, and are accessible to the appropriate bodies if and when required.
Unique Compliance Requirements
In addition to the legal requirements, the vendors may also be subject to particular compliance requirements imposed by their customers.
Legal and Contractual
Legal and Contractual compliance is the practice of vendors and their customers agreeing responsibility for aspects such as liability, intellectual property, and end-of-service matters.
Related Pages