Cloud Computing Security

By

Jul 4th


Cloud computing has been one of the latest hype’s in the technological world today. It encompasses different technologies, models and platforms which allows for a more efficient computing by centralizing several resources. There are several advantages of cloud computing to companies compared to the conventional computing creating “thirst” for the cloud.

The cloud introduces economies of scale to companies planning to invest in the technology. Virtualization on which the cloud relies on, efficiently utilizes available resources efficiently. Regardless of the model a company decides to adopt a lot of saving in both CAPEX and OPEX will be achieved in the long run. Companies are jumping into the cloud wagon to achieve the savings as IT investments have been known to be costly.

Dependent on the delivery model a company intends to adopt it will allow the company focus on its key business and let the Cloud Provider (CP) concentrate on worries of storage and backups depends on the contractual agreement.

Cloud computing can be delivered into three main models namely;

Public cloud – Services are provisioned over the internet by the Cloud Provider. The CP will be providing IaaS (Infrastructure as a Service), SaaS (Software as a Service) and PaaS (Platform as a Service).

Private cloud – Companies leverages on internal infrastructure using virtualization for enterprise use within its boundaries.

Hybrid – a mix of both the public and private cloud.

Adoption of a private cloud may not be so daunting as compared to adopting a public cloud. In the private cloud model a company has control over its infrastructure and can dictate the security levels and control access to be observed. However, the public cloud model doesn’t offer the luxury of owning up and controlling security access levels and controls.

The Public Cloud model provides whole different security concerns to both the Cloud Provider and their customers. The Cloud Provider must ensure that their infrastructure is secure and customer’s resources (infrastructure, applications and data) are protected while the customer must ensure that the Cloud Provider has taken security measures to protect their information. The public cloud model must ensure protection of data in motion, in process and at rest. As a customer who intends to take up services, the Cloud Provider must demonstrate how they will be able to achieve that to ensure security of their information.

Checklist for selecting a cloud provider

How does the Cloud Provider intend to achieve availability of customer’s infrastructure?

The Cloud Provider should be able to prove that they have taken necessary measures to protect customer’s data both physically and logically. The Cloud Provider should be able to offer the service in multiple regions incase their main site goes down for whatever the reason.

Redundancy of all services/sites should be a must for any serious Cloud Provider. How can the Cloud Provider assure you that your services will be available 24/7 and yet they only have one internet link? The site could be up but once the internet link goes down as a customer you will definitely be shutdown.

Where is the Cloud Provider located?

The Cloud Provider like any other business would want to operate in a location where they are able to cut down on operation costs but this could be at the expense of the customer. If a Cloud Provider is operating in a region prone to natural calamities – storms, earthquakes etc the probability of being down is very high. Same case applies if the Cloud Provider is operating in a war-torn country.

Who are the Cloud Provider employees?

The Cloud Provider employees could access customer information and use for the wrong reasons. As a customer the Cloud Provider should be willing to provide background checks for their employees who are involved in managing the service that the customer intend to acquire. This can give you a picture of who will be babysitting your data.

Requesting for audit logs, user management process give you a glimpse of what the Cloud Provider system administrators are doing when given access to your resources. The Cloud Provider user management process can let you know whether system administrator account and access to data center are denied immediately once they leave the company.

How transparent is the Cloud Provider?

As a customer you can only gauge the Cloud Provider security practices by having access to their security practices. If the Cloud Provider is unwilling to share their security practices to customers that should already tell you that not the right provider to work with. The Cloud Provider security practices shouldn’t be secret as a company you are already willing to entrust your critical and confidential data with then so it your right to know how the Cloud Provider will be protecting that data.

When do we get back again after a disaster?

The Cloud Provider should be able to provide response and recovery time before you even sign off the contract. As a customer you target up time of 100% and the Cloud Provider should be able to guarantee you that they can work with your targets.

How is our data stored?

Cloud Provider provides should illustrate the format in which the customer data will in motion, rest and motion. The Cloud Provider should provide the encryption algorithms that will be used and the management of keys. Its critical for strong encryption to be adopted at all times due to the nature of communication to the cloud.

Does the Cloud Provider segregate data?

The Cloud Provider should be separate your data from their other customers to avoid data breaches that can lead to massive losses. The Cloud Provider should not only indicate that they segregate data but should prove how they do it to avoid data spills.

What regulations does the Cloud Provider adhere to?

The Cloud Provider should be able to provide information to which regulatory body they comply to. The Cloud Provider should be able to verify how they comply and even share latest audit reports as a measure of their compliance. As a customer you can then judge whether it’s worth investing in the Cloud Provider’s cloud.

What’s the financial status of the Cloud Provider?

It’s critical to know the financial status of the Cloud Provider so as to know whether it’s worthy of your investment. If the company is listed in a security exchange, analyzing of its stock and scrutiny of financial statements is a must before entering into a contract with the Cloud Provider. If the Cloud Provider is on receivership or its stock is doing badly you want to shy away as those are signs of a company that is about to go down.

There will be many more checks that a customer must conduct before investing in public cloud computing services. The above checklist doesn’t exhaust all checks and their importance may vary dependent on the customer’s current needs, capability and business strategy.

Cloud computing is definitely the way to go as there are a lot of economies of scale achieved by adoption of the cloud. However, as the maths of savings to be achieved is being calculated information security should feature in the math’s formula.

Leave a Reply

 
© 2006-2019 Security magazine.