Jump to content

Cloud computing security

From Wikipedia, the free encyclopedia
This is an old revision of this page, as edited by Amoorthy (talk | contribs) at 04:14, 31 December 2009 (Created page with '{{New unreviewed article|source=ArticleWizard|date={{subst:CURRENTMONTHNAME}} {{subst:CURRENTYEAR}}}} '''Cloud computing security''' refers to a broad set of poli...'). The present address (URL) is a permanent link to this revision, which may differ significantly from the current revision.
(diff) ← Previous revision | Latest revision (diff) | Newer revision → (diff)

Template:New unreviewed article

Cloud computing security refers to a broad set of policies, technologies, and controls put into place to protect data, applications, and the associated infrastructure of cloud computing. Cloud computing security is often refered to as cloud security.

There are many aspects to cloud computing security. As organizations move data, applications, and even significant parts of their infrastructure to cloud services, the same security and regulatory compliance controls they have in place within their traditional data centers often need to follow. The degree of an organization's need for data governance, privacy, and the securing of confidential and regulated data often impacts what types of cloud services an organization ultimately will select.

Essentially, cloud services computing is the use of compute services where the underlying hardware and software is abstracted from the end user. In this way, cloud computing is an on-demand utility service where IT services are dynamically provisioned.

As organizations move to cloud services, the questions associated with cloud computing security, privacy, regulatory compliance, and availability are likely to increase. Before discussing aspects of cloud computing security, the types of cloud models need to be defined:


Cloud Computing Models

The National Institute of Standards and Technology (NIST) has identified three fundamental cloud computing models, often referred to as the “SPI Model” – Software, Platform, and Infrastructure (as a Service) – and defined as:

  • Cloud Software as a Service (SaaS). The consumer gains the capability to use the provider’s applications running on a cloud infrastructure. The applications are accessible from various client devices through a thin client interface such as a web browser (e.g., web-based e-mail). The consumer does not manage or control the underlying cloud infrastructure – including network, servers, operating systems, storage, or even individual application capabilities – with the possible exception of limited user-specific application configuration settings.
  • Cloud Platform as a Service (PaaS). The consumer becomes able to deploy onto the cloud infrastructure consumer-created or acquired applications created using programming languages and tools supported by the provider. The consumer does not manage or control the underlying cloud infrastructure – including network, servers, operating systems, or storage – but has control over the deployed applications and possibly application hosting environment configurations.
  • Cloud Infrastructure as a Service (IaaS). The consumer is able to provision processing, storage, networks, and other fundamental computing resources, and is able to deploy and run arbitrary software, which can include operating systems and applications. The consumer does not manage or control the underlying cloud infrastructure but has control over operating systems, storage, deployed applications, and possibly limited control of select networking components (e.g., host firewalls).


Cloud Deployment Models

Regardless of the service model utilized (SaaS, PaaS, IaaS), there are four primary ways in which cloud services are deployed. These derivative deployments address specific computing requirements:

  • Public Cloud. The cloud infrastructure is made available to the general public or a large industry group and is owned by an organization selling cloud services.
  • Private Cloud. The cloud infrastructure is operated solely for an organization. It may be managed by the organization or a third party and may exist on or off premise.
  • Hybrid Cloud. The cloud infrastructure is a composition of two or more clouds (private, community, or public) that remain unique entities but are bound together by standardized or proprietary technology that enables data and application portability (e.g., cloud bursting for load-balancing between clouds).
  • Community Cloud. The cloud infrastructure is shared by several organizations and supports a specific community that has shared concerns (e.g., mission, security requirements, policy, and compliance considerations). It may be managed by the organizations or a third party and may exist on or off premise.


Security Characteristics

Many security and regulatory compliance issues can arise from each cloud deployment model. Customers often want to be able to trust that their cloud service providers have provided a secure infrastructure; that other organizations or internal deployments cannot access data that’s not authorized; that applications are maintained securely and kept up to date; and that key processes and security controls are auditable, among many other security concerns.

These security implications of cloud computing are manifold. Many argue that public clouds create security concerns for security conscious and heavily regulated organizations, citing loss of physical control, ability to audit, and other issues of transparency. Others argue that some forms of cloud computing services also can reduce the complexity associated with many aspects of security, such as providing for a more homogeneous infrastructure that helps to simplify testing and auditing, providing for easier automation of some security functions, and simplifying aspects of disaster recovery.

Considering these issues, the types of cloud service deployments that organizations will choose will be determined, to a significant degree, based on the perceived balance between the economic and organizational rewards of cloud services and the security and regulatory risks. (1)For instance, it could be reasonable for a public company, such as a manufacturer or pharmaceutical firm, to decide that its financial and private research and development information requires IT to be secured and governed in-house. That would require part of its cloud services to be managed privately, with the cloud infrastructure managed by its own internal IT department or outsourced to a third party. In this way, the organizations would have control over where the data is stored, how it's secured, and who has access. Another example of security and regulatory concerns determining the choice of cloud service deployment could be a regional health care provider selecting a community cloud that is designed and maintained to be fully compliant with the Health Information Portability and Accountability Act. Another example would be a European organization that must follow the EU Data Protection Directive (Directive 95/46/EC), and must ensure that certain types of data not be transferred to third-countries determined not to provide an adequate level of protection. This requirement could also be solved by private or community cloud services. All three organizations could select public clouds for tasks that are not in the scope of their regulated or confidential data.

For all cloud computing models, the way organizations approach cloud security and regulatory compliance will resemble many of the same operational characteristics as modern day networks and data centers. The security, regulatory, and audit capabilities found in the modern data center also will need to be in place within the cloud for regulated and confidential data. For instance, applications and operating systems will need security maintained, while provisioning and identity and access management will have to be in place, much as it is within traditional data centers.

The industry organization, Cloud Security Alliance, has organized cloud service security into thirteen distinct domains:

  • Domain 1: Cloud Computing Architectural Framework
  • Domain 2: Governance and Enterprise Risk Management
  • Domain 3: Legal and Electronic Discovery
  • Domain 4: Compliance and Audit
  • Domain 5: Information Lifecycle Management
  • Domain 6: Portability and Interoperability
  • Domain 7: Traditional Security, Business Continuity and Disaster Recovery
  • Domain 8: Data Center Operations
  • Domain 9: Incident Response, Notification, and Remediation
  • Domain 10: Application Security
  • Domain 11: Encryption and Key Management
  • Domain 12: Identity and Access Management
  • Domain 13: Virtualization

Depending upon the complexity of the organization's IT infrastructure, which cloud service deployment models are chosen (public, private, hybrid, or community) and the internal security controls and regulatory mandates in place will determine the degree to which each, if any, of the domains above will require consideration.



References

Cutting through the fog of cloud security, ComputerWorld, February 23, 2009 http://www.computerworld.com/s/article/333530/Cutting_Through_the_Fog_of_Cloud_Security

Cloud computing not fully enterprise-ready, IT execs say, ComputerWorld, March 2, 2009 http://www.computerworld.com/s/article/9128840/Cloud_computing_not_fully_enterprise_ready_IT_execs_say


Cloud Security Alliance http://www.cloudsecurityalliance.org/

Jericho Forum http://www.opengroup.org/jericho/

National Institute of Standards and Technology http://www.nist.gov/index.html

Retrieved from "https://en.wikipedia.org/w/index.php?title=Cloud_computing_security&oldid=335042686"