For the past few years, cloud computing has quickly grown in popularity, and as such, has come with its own set of risks and security concerns. As use of this service grows by both consumers and businesses, it will no doubt continue to attract the attention of hackers and cyber criminals, as it offers a central repository of data that can contain everything from financial statements, to company intellectual property. On 7/11/2011, eweek.com posted an article called Cloud Computing Security: 10 Ways to Enforce It, which attempts to give several suggestions on the best way to ensure that cloud computing is as safe as it is convenient.
The articles goes through 10 steps that it claims are sure fire ways to ensure that security in cloud computing is effective. While I think that the suggestions given seem valid and thought out, I found that the lack of details and information left much to be desired. I think that the importance of such a topic, especially as cloud computing continues to grow in popularity and use, cannot be taken lightly, and thus these articles are crucial. The article gives the following 10 steps:
1. Identify the Foundational Controls These are the core of any companys security philosophy, and a relatively small number of controls must be identified and considered of upmost importance. This step attempts to ensure that these factors are considered as the company embraces cloud computing. 2. Focus on the Workload The article claims that an organizations confidence goes hand in hand with cloud security. Each and every workload should be considered independently, rather than as a whole. This is because each may have its own governing factors. It is apparently more important to focus on the workload than just the cloud service itself.
3. Build Consensus Early Security in the cloud is a group effort. Stake holders must agree on what constitutes proper security measures, and no security details or risks should be omitted. All parties involved must understand the risks, and come to a consensus as to how they should be addressed, as to not overlook critical variables. 4. Implement a Risk Mitigation Plan Documentation, education, and training are important features to consider when it comes to cloud security. A proper plan will allow for security issues to be dealt with as they arise, while ensuring little impact to customers. 5. Dont Forget Image Management Virtualization capabilities must be given a management process of their own. This helps to ensure that only the right images are available, which seems to be in the interest of limiting potential security flaws in bad images.
6. Conduct a Security Evaluation Applications, data, and anything being migrated to the cloud should be evaluated for security flaws and vulnerabilities FIRST. Companies may want to consider outside specialists, such as ethical hackers, to test the integrity of all assets being moved to the cloud before putting them there. 7. Take Advantage of Security Services Companies should look at services that have been created specifically for cloud computing. These can include everything from intrusion prevention, to proper security logging. 8. Develop a Resiliency Program Ensure that all workloads in the cloud can easily be backed up and restored in the event of a failure.
9. Actively Monitor Performance An active monitoring program should be put in place to ensure performance and security. 10. Follow a Cloud Lifecycle Model Cloud technology will be constantly changing, and the model a business uses must change with it. Overall, I found that this article provided some great insight as to the proper security measures to ensure safe cloud computing. However, I also found the descriptions to be very vague. With an important topic such as cloud security, I found myself asking many questions as to how the aforementioned factors should be achieved, and thought that the article fell very short in addressing them.
Identifying the foundational controls makes sense, but I thought that the article should have given much more attention to what a cloud security philosophy should be centered around. No doubt this will vary from company to company. How should these controls be gauged and evaluated in their importance?
Focusing on the workload is logical. Because this part of cloud security will vary from company to company, I think that the article addressed this point in as much detail as it should have. Overall, I found this to be an interesting point.
Building an early consensus is definitely a great way to ensure proper security. Personally, I think this should have been at the top of the 10 steps, and labeled as one of the most important. Quite frankly, ALL parties must understand the potential risks of security flaws and vulnerabilities, and all must understand what the impacts can be. It is not enough for IT staff to understand these risks, and I thought that this point was definitely one of the most important steps to ensuring not only cloud security, but also how it should be evaluated.
Having a risk mitigation plan is an important step for ALL information systems, and not just cloud computing. With this in mind, I found that the article fell short in that it does not describe what the difference in such a plan would be for cloud computing vs. a traditional data/computing environment. This plan can vary from business to business, but I think the article should have given some things to consider.
Image management may be important. Its hard to tell what the article was referring to with this point. Why is an this important factor in cloud security? What risks does it pose? I found that none of these questions were addressed in this point, and that the article should have done more to explain why this point was significant at all.
Security evaluation was another point that I thought should have been higher up on the list, and suggested with much greater importance. If data and applications have vulnerabilities outside of the cloud, then they will certainly have them from within. I think that the article did a great job in describing the importance of this point, but probably should have presented it with much more urgency than it did.
Taking advantage of security services is definitely something that businesses engaging in cloud computing must consider. Providing the proper cloud security may very well be beyond the scope and ability of the company, and that is where a third party is a great investment. The article, however, should have provided examples of reputable security companies that specialize in this service, and given the reader some insight on which companies offer these services.
Having a resiliency program is a must. But exactly how should such a program be different in cloud computing? The article did not offer any suggestions on how this may be accomplished, or how it would be different than a traditional server or data center. How, where, and when should these backups be done? And how long should they be kept? What factors should be relevant in making such decisions?
Performance monitoring is crucial, as it is in any information system. I would like to add that I think that this should be done in as close to real time as possible. When you have customers and clients utilizing your services, catching an intrusion, crash, or outage after the fact is not acceptable. It is therefore important that a companys cloud computing environment possess the necessary system resources for real-time evaluations.
Following a cloud lifecycle is somewhat of a broad suggestion. Because the cloud is a relatively new technology (or at least, in its current popularity and use), it may be difficult to gauge such a lifecycle. While I think the article makes a sound point, I think that it should have been mentioned that this is still a developing technology, and that the lifecycles may not yet be clearly defined.
I for one am not a fan of cloud computing, and have had no desire to utilize it for any personal reasons. This is because I think there are many unaddressed security and privacy risks that have been overshadowed by the hype this technology has created. It was, therefore, nice to read an article that attempts to give businesses an idea of how security on the cloud should be conducted. While I agreed with the 10 steps provided, I dont think the article did enough to explain why these steps were important, or offer suggestions or resources on how to follow them. Ultimately, as cloud computing becomes more popular and utilized, security will no doubt become a growing concern. I think that more articles like this one need to be written, and a more comprehensive set of guidelines, based on these 10 steps, should be developed and standardized.