Cloud computing offers a value proposition that is different from traditional enterprise IT environments. By providing a way to exploit virtualization and aggregate computing resources, cloud computing can offer economies of scale that would otherwise be unavailable. The elastic nature of cloud computing provides near immediate access to resources. This is in contrast to the traditional approach of investing capital, resources and time in designing and implementing infrastructure (hardware and middleware). This allows organizations to drive to realize business benefits faster by shortening time to market.
Understand the benefits and risks
While the benefits of cloud computing can be very persuasive, consumers must have a clear understanding of potential security benefits and risks of a potential cloud provider. This allows a consumer to set realistic expectations with their internal business partners as well as the cloud provider. Transitioning to public cloud computing involves a transfer of responsibility and control to the cloud provider over information as well as system components that were previously under the organization’s direct control. The transition is usually accompanied by loss of direct control over the management of operations and also a loss of influence over decisions made about the computing environment.
While security risks need to be addressed, use of cloud computing provides opportunities for innovation in provisioning security services that hold the prospect of improving the overall security of many organizations. Cloud service providers should be able to offer advanced facilities for supporting security and privacy due to their economies of scale and automation capabilities – potentially a boon to all consumer organizations, especially those who have limited numbers of personnel with advanced security skills.
As consumers transition their applications and data to use cloud computing, it is critically important that the level of security provided in the cloud environment be equal to or better than the security provided by their traditional IT environment. Failure to ensure appropriate security protection could ultimately result in higher costs and potential loss of business thus eliminating any of the potential benefits of cloud computing.
Scrutinize the SLA
Despite this inherent loss of control, the cloud service consumer still needs to take responsibility for their use of cloud computing services in order to maintain situational awareness, weigh alternatives, set priorities and affect changes in security and privacy that are in the best interest of the organization. The consumer achieves this by ensuring that the contract with the provider and its associated service level agreement (SLA) has appropriate provisions for security and privacy.
In particular, the SLA must help maintain legal protections for privacy relating to data stored on the provider’s systems. The consumer must also ensure appropriate integration of the cloud computing services with their own systems for managing security and privacy. The requirement for a strong and fair contract and SLA puts the onus on the cloud consumer. It is extremely important that the consumer understand the service levels of the provider prior to accepting any inherent risks that the structure may set forth.
Resources
An excellent resource that can help consumers with the security maze of cloud computing is the “Security for Cloud Computing: 10 Steps to Ensure Success” white paper recently published by the Cloud Standards Customer Council (CSCC). The CSCC is an end user advocacy group dedicated to accelerating cloud’s successful adoption, and drilling down into the standards, security and interoperability issues surrounding the transition to the cloud.
The CSCC white paper provides a prescriptive series of steps that should be taken by cloud consumers to evaluate and manage the security of their cloud environment with the goal of mitigating risk and delivering an appropriate level of support. The following steps are discussed in detail:
Ensure effective governance, risk and compliance processes exist
Audit operational and business processes
Manage people, roles and identities
Ensure proper protection of data and information
Enforce privacy policies
Assess the security provisions for cloud applications
Ensure cloud networks and connections are secure
Evaluate security controls on physical infrastructure and facilities
Manage security terms in the cloud SLA
Understand the security requirements of the exit process
Combined with a previous CSCC white paper on how cloud consumers should manage cloud contracts and Service Level Agreements (SLAs), the security paper is aimed at giving good information and advice to people who don’t have deep security expertise. It provides a step-by-step “here’s how” for cloud consumers to get through the process with some cautions.
Add your voice
With collateral like the cloud security and SLA white papers, the CSCC is making a difference. You can make a difference as well. To add your voice to the growing community, become a CSCC member and join the CSCC working group most aligned to your requirements.
See you in Las Vegas
For folks planning to attend the IBM Pulse 2013 conference in March, cloud security will be a highlighted topic of discussion. I’ll be participating on a panel session titled “Security for Cloud Computing: Understanding Security Challenges” at the conference. This will be an interactive session so if you’re in town, please join us and share your perspective and experience on this critical topic.
Techno Buzz4all 