Cloud Computing Security
Introduction
In the recent years, there has been a tendency to move away from mass in-house storage and keep data on the web or in “The Cloud”. A big advantage to this, is that this comes at a reduce price over in-house storage. This allows people access to your information, anywhere you have internet access. All types of things can be stored; some common ones include pictures, music, and e-mail. Weather you know it or not, you most likely already use cloud computing, if you use email like Yahoo Mail, Gmail, or Hotmail or social media like Facebook. Businesses can use “The Cloud” for many different business applications. The applications are almost limitless, but some common uses include data processing, accounting, email, office productivity software, and call center automation. These applications also include some Software-as-a-Services that are also moving off your computer and on to the web. This paper looks at exactly what is “The Cloud”, the questions ‘how safe is “The Cloud”, does it keep your information safe?’, and ‘what preparation can be done to protect you or your business?’
Formal Definition
The National Institute of Standards and Technology, Information Technology Laboratory defines Cloud computing as a
“model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.
The NIST goes on to list essential characteristics
• On-demand self-service
• Broad network access
• Resource pooling
• Rapid elasticity
• Measured Service
Just as there are many different clouds in the sky, there are different types of cloud deployments. A Private cloud is run exclusively for one organization. A Community cloud is used for a group of organizations with similar needs or requirements. Public clouds are usually run by a business selling services to the general public or a group of businesses. The last is a Hybrid cloud, which is a unique combination of the first three. Services can also be broken up, between infrastructure, platform, or software.
How safe
The fact you can reach your information from all around the world, brings up the question “who else can also get this information?” Do you really know where your data is kept, or by whom? Do you know if any protections are taken to keep your information or data safe from thief or loss? These controls of security procedures are relinquished when computing is outsourced to the cloud.
In the article, Google Blames Software Update for Lost Gmail Data, Steve Musil states that about 40,000 Google accounts suddenly and mysteriously lost e-emails, contacts, and folders. Luckily for the users, Google keeps multiple copies of data in many different data centers.
According to the editor at Oxford Consulting, cyber criminals are often able to get critical information. Worse yet, these companies that are hack, often have no idea what information is stolen or lost. This lost of information highly affects consumer trust.
The homeland security newswire adds that criminals even run their own cloud services. They centrally control compromised computer with botnets, to host malicious content or to overwhelm a selected target with data. You can actually purchase virtual computers from these people. Amazon’s Elastic Computing Cloud was used by a cyber criminal to send out an immense junk e-mail operation. The newswire quotes Haroon Meer as saying “The cloud is going to offer the serious criminal huge computing resources on tap, which has lots of interesting applications”
Cloud computing security needs to be taken seriously. Redundant data storage and Identity and access management are a must. To regain control, you need to ensure that the company you pick has some serious standards in place.
Security
How do you select a cloud vendor, when you leave the in-house programs that provide a certain physical control over information? You must ask detail questions and insist on getting information on security. Make sure the company you pick have test done to verify that they can protect you. Jon Brodkin quotes Gartner, on seven specific security issues a customer should raise with a vendor before selecting
1. Privileged user access. Sensitive data processed outside the enterprise brings with it an inherent level of risk, because outsourced services bypass the "physical, logical and personnel controls" IT shops exert over in-house programs. Get as much information as you can about the people who manage your data. "Ask providers to supply specific information on the hiring and oversight of privileged administrators, and the controls over their access," Gartner says.
2. Regulatory compliance. Customers are ultimately responsible for the security and integrity of their own data, even when it is held by a service provider. Traditional service providers are subjected to external audits and security certifications. Cloud computing providers who refuse to undergo this scrutiny are "signaling that customers can only use them for the most trivial functions," according to Gartner.
3. Data location. When you use the cloud, you probably won't know exactly where your data is hosted. In fact, you might not even know what country it will be stored in. Ask providers if they will commit to storing and processing data in specific jurisdictions, and whether they will make a contractual commitment to obey local privacy requirements on behalf of their customers, Gartner advises.
4. Data segregation. Data in the cloud is typically in a shared environment alongside data from other customers. Encryption is effective but isn't a cure-all. "Find out what is done to segregate data at rest," Gartner advises. The cloud provider should provide evidence that encryption schemes were designed and tested by experienced specialists. "Encryption accidents can make data totally unusable, and even normal encryption can complicate availability," Gartner says.
5. Recovery. Even if you don't know where your data is, a cloud provider should tell you what will happen to your data and service in case of a disaster. "Any offering that does not replicate the data and application infrastructure across multiple sites is vulnerable to a total failure," Gartner says. Ask your provider if it has "the ability to do a complete restoration, and how long it will take."
6. Investigative support. Investigating inappropriate or illegal activity may be impossible in cloud computing, Gartner warns. "Cloud services are especially difficult to investigate, because logging and data for multiple customers may be co-located and may also be spread across an ever-changing set of hosts and data centers. If you cannot get a contractual commitment to support specific forms of investigation, along with evidence that the vendor has already successfully supported such activities, then only safe assumption is that investigation and discovery requests will be impossible."
7. Long-term viability. Ideally, your cloud computing provider will never go broke or get acquired and swallowed up by a larger company. But you must be sure your data will remain available even after such an event. "Ask potential providers how you would get your data back and if it would be in a format that you could import into a replacement application," Gartner says.
Cloud computing as many benefits, from portability to cost. To take advantage of these, it is important to address some important security concerns from who has access, where is the data, and how well is it backed up. With these precautions the sky is the limit.
References
Information found at http://en.wikipedia.org/wiki/Cloud_computing
Business uses for the cloud found at http://www.getapp.com/blog/cloud-computing-highly-preferred-for-business-applications/
Cloud Computing models found at https://www.infosecisland.com/blogview/5300-Top-10-Security-Concerns-for-Cloud-Computing.html
Mell, P., Grance, T. (2009, Oct 7). The NIST Definition of Cloud Computing. National Institute of Standards and Technology, Information Technology Laboratory.
Information on how safe found at http://articles.cnn.com/2010-03-12/tech/cloud.computing.security_1_computing-convenience-stored?_s=PM:TECH
Musil, S. (2011, Feb 28) Google blames software update for lost Gmail data. Digital Media. Download from http://news.cnet.com/8301-1023_3-20037554-93.html
Data from Oxford consulting found at http://oxford-consulting.com/industry-news/2011/03/shocking-data-loss-statistics-released/
Homeland Security News Wire found at http://homelandsecuritynewswire.com/cybercriminals-begin-exploit-cloud-hacking
Brodkin, . (2008, Jul 2). Gartner: Seven Cloud-computing security risk. Network World. Download from http://www.infoworld.com/d/security-central/gartner-seven-cloud-computing-security-risks-853
Thursday, April 28, 2011
Tuesday, April 12, 2011
Subscribe to:
Posts (Atom)
