The Cloud Security Alliance
(CSA) has done a great job in the furthering awarenes and creating a homogeneous understanding of the major security concerns in cloud computing. It is best known for its security Guidance for Critical Areas of Focus in Cloud Computing
, with its latest version issued in Dec. 2009. The CSA guidance clearly describes the major concerns, from a security perspective, that companies need to be aware of if they are considering a Cloud migration or establishment.
Businesses must be aware of the security risks associated with different cloud deployment models, i.e. privae, hybrid or public. To start with, it is important to map out the data flow from the current infrastructure to an eventual cloud service provider, whether in a private or public context. It is essential to understand if and how data can move in and out of the cloud. Having a high-level understanding of the security risks involved also enables businesses to understand which security and risk controls are appropriate to be executed, and to act proactively.
The three primary service modes in cloud computing; SaaS, PaaS and IaaS also represent different security approaches for businesses. In the case of SaaS, the service provider is responsible, or should be, for maintaining acceptable service levels and security, governance, compliance and liability expectations. However, in the case of PaaS and IaaS the customer is responsible for effectively manage the same expecations, while the service provider normally ensures at least some degree of securing the underlying platform and infrastructure components.
CSA also points to the importance of classifying risk in relation to each service mode and location of assets. For example, in a hybrid cloud context, both the customer and service provider can be responsible for the same risks. The problem is that sometimes it is difficult to distinguish between when and who should take accountability. Due to lack of information of security controls maintained by the service provider, customers can also be misguided – potentially leading to wrong decisions and adverse outcomes.
To address this problem, CSA proposes a “Security Control Model” that is systematically used to find the security gaps in each of the layers of a cloud architecture, i.e. from facilities and infrastructure to the presentation modality and platform. When this analysis has been performed and outcomes are analysed, is i easier to apply a compliance model that actually fits the requirements, whether it would be PCI DSS, SOX, HIPAA or any other appropriate compliance framework or model.
Finally, it should be kept in mind that the security controls in cloud computing are for the most part the same as in any IT environment. Because of the different cloud service models employed and associated technologies used, there may be some different risks present than for traditional IT solutions. As cleverly worded in the the CSA Guidance paper: “Cloud computing is about gracefully losing control while maintaining accountability even if the operational responsibility fall upon one or more third parties”