Trusttone

According to the IDC Enterprise Panel (August 2008), the main challenges and issues facing cloud computing are Security (74.6%) followed by Performance (63.1%), Availability (63.1%). Regulatory requirements prohibit cloud computing in fully 49.2%. In the coming years, federal and state regulatory requirements related to Personal Information, Patient Health Information, Credit Card information, etc. will get more strict so I fully expect to see increase in challenges related to using cloud computing.

There are some security advantages in moving to a Cloud Computing model. For example homogeneity makes securing and testing simpler, security management can be automated, redundancy and disaster recover more easily available, and highly skilled security people can be utilized effectively. That is, only if the Cloud Computing enterprise is Well Run.

Cloud Computing comes with its own set of Security Requirements

You, the customer, have to ask the right questions and verify the information provided by the vendor before signing up for their services. Remember that it is your business that is directly liable for any and all security violations. Most state and federal security regulations require you to make sure that any third party handling Personal and related information provided by you also meet the regulatory standards. You must verify the management, ownership, location, accessibility, service track record, etc.

The Cloud Computing service provider must be able to provide you verifiable security processes that are in place to respond security attacks and breaches. If the breach involves regulated information, they may have compliance requirements forcing them to report them to state and/or federal authorities, and in some states, the affected party, for example, a patient. The service provider must have processes in place to warn you of security related events in a timely, complete, and transparent manner. The service provider must support you during any investigation, must provide you with accountability regarding their administration of the service, allow you to examine any customization in lieu of loss of physical control.

Apart from standard security practices that are already being deployed in enterprises (firewalls, malware protection, access control, encryption, etc.), Cloud Computing adds some new things quirks to worry about:

* Elastic computing allows for provisioning and deprovisioning opening up vulnerabilities in the provisioning service itself.
* Data storage can be compromised. Encryption will help but there have to be tools to manage the keys and policies to prevent data leakage.
* Virtual Machines can be compromised due to multi-tenancy and hypervisor vulnerabilities. Newer software helps with better isolation, sandboxing, etc.
* The relatively fast allocation and deallocation of resources may prevent breaches from being noticed. Post breach analysis becomes hard when the Virtual Machines have been torn down. Malware can sit around and hide in the clutter of Virtual Machines and resources being constantly allocated and freed.
* Data storage may end up overseas where they are subject to different laws and may be also be subject to espionage, encryption prohibition, different or non-existent privacy laws.

Conclusion:

If you choose Cloud Computing for your applications, make sure to do your due-diligence especially with security offered by the provider.

Tags: Cloud Computing | Security