Archive for the 'Cloud Security' Category

Cloud computing – top threats

By Olafur Ingthorsson on April 14, 2010 in Cloud Security. 0 Comments

Last month, The Cloud Security Alliance (CSA) published a short security guidance paper with an interesting overview of the top 7 threats to Cloud Computing (version 1.0) – according to their analysis. The paper can be used as a simple guideline for addressing, and perhaps checking off, all the major security concerns associated with implementing cloud computing and its different service modes.

Cloud Computing: Security Threats

This is important especially as people often lack an overview of all the potential security vulnerabilities associated with cloud computing. As pointed out in the paper, it is seen as a companion to the much more detailed “Security Guidance for Critical Areas in Cloud Computing” from the SCA (version 2.1 issued in Dec. 2009). The paper includes the top 7 following threats that need to be addressed – in accordance with the type of cloud computing adoption, i.e. “IaaS”, “PaaS”, “SaaS”:

#1: Abuse and Nefarious Use of Cloud Computing (IaaS, PaaS)
#2: Insecure Interfaces and APIs (IaaS, PaaS, SaaS)
#3: Malicious insiders (IaaS, PaaS, SaaS)
#4: Shared Technology Issues (IaaS)
#5: Data Loss or Leakage (IaaS, PaaS, SaaS)
#6: Account or Service Hijacking (IaaS, PaaS, SaaS)
#7: Unknown Risk Profile (IaaS, PaaS, SaaS)

The threats are equally important – and should reflect the critical threat concerns in Cloud Computing that organizations experience during their adoption processes. The CSA short paper was influenced by a more detailed European research paper produced by ENISA (European Network and Information Security Agency) called “Cloud Computing: Benefits, Risks and Recommendations for Information Society“, published in Nov. 2009.

Tags: , .

Cloud computing – data privacy and compliance

By Olafur Ingthorsson on March 25, 2010 in Cloud Security. 5 Comments

Often, when the cloud computing discussion takes off, especially in relation to public clouds, one recurring issue soon emerges, namely, the the issue of data privacy and responsibility. It seems clear that different legislations related to data privacy and, especially, cross-border transfer of data is causing a lot of uncertainty and retention by many IT managers considering cloud services. Especially does this relate to certain type of data, e.g. financial information, health records and personal identifiable information. With the global distribution of data centers and the opaquenature of data location in many cloud services – e.g. do you actually now where your Google Apps information is physically stored? – complicates matters further. Compliance with local regulatory issues can be a thorny and sensitive issue, especially for organizations. There are many questions that arise concerning data privacy, accessibility and administration, such as:

  • Data seizure due to legal investigation – organizations need to adhere to local legislation
  • What is the accessibility of local authorities to data under investigation residing in a different jurisdiction
  • Fear of infringement of data protection rights due to seizure of a server in the host jurisdiction
  • Data losses caused by cloud provider and unauthorized disclosures in the cloud
  • The cloud provider goes bankrupt – what happens to my data

If an organization migrates data, application or processes to a cloud provider in another jurisdiction it is still fully responsible for that data and needs to apply to local data protection legislation and regulations when handling personal data. In a public cloud environment this can be difficult as the organization is unlikely to know if and when data is moved, where and how it is stored and, sometimes, who has access to it and what particular security measures are in place. Therefore, it is quite possible that a dispute can arise about who is actually responsible for data protection compliance. Organizations need to be particularly careful when selecting a third-party cloud provider with this in mind and should in all circumstances require a written declaration describing how the provider will address compliance with local legislation and provide assurance in the event of data losses or unauthorized disclosures. Even better, requesting SLAs and certifications of quality and operational control, e.g. equivalent to a SAS 70 Report – Type II (Statement on Auditing Standard 70).

Tags: , , .

Cloud computing – barriers for faster adoption

By Olafur Ingthorsson on January 20, 2010 in Cloud Security. 1 Comment

It’s been maintained by many analysts that the main barriers for a faster public cloud adoption, by organizations in particular, is the lack of sufficient security, reliability and portability (data lock-in). CIO’s and IT managers normally cite these as the primary reasons for their reluctance of trusting a third-party cloud provider for storing or processingtheir sensitive, often personalized data. These are however not new concerns born with the notion of cloud computing – but also exist in other forms of IT management structures, including hosting and outsourcing, which can be classified as close relatives of cloud computing. Still, and rightly so, concerns  for security, reliability and vendor lock-in have been epitomized in cloud computing. So, in a few words, why and how are these the key concerns for organizations thinking about utilizing public cloud services? Here are a few observations:

Security
Handing over your corporate data to a third-party is indeed a very difficult decision for most CIO’s and IT managers. A myriad of questions immediately arise; how can I be sure that my data is sufficiently protected; is my data encrypted while stored and what about when being being transferred to and from the service provider; what about back-ups and access to data in case of data center failure; how about restoration strategy? And the list goes on. Fortunately, many of the larger public cloud providers, like AWS, Google and many others, provide a lot of measures and even SLAs that guarantee a certain level of responsiveness and measures in the case of security breaches and hardware/software failure situations within their own domain. Currently, the problem is more related to smaller cloud providers that do not have the capacity, resources and sometimes knowledge to provide sufficient security measures that relief the concerned CIO/IT manager.
Then there is the thorny and related issue of data privacy, especially of personally identifiable data (PII). If you are a CIO/IT manager, you already know your organization protects personal data and limits data exposure. Internally, organizations institute their own processes and policies for protecting privacy of corporate and individual data and ID’s. However, in the cloud, how can you be sure your data is protected by the provider in equal, or better, way? Additional fear include different legislation and regulations, especially in the context of cross-border cloud services – potentially leading to seizure of your data or confiscation of network servers by authorities in the residing country of the cloud service provider. This is an especially relevant where a buyer located in a particular jurisdiction, e.g. the EU, uses cloud computing services located in another jurisdiction, e.g. the USA. In fact, the EU, for example, prohibits the cross-border transfer of PII data originating in the EU, unless the host country applies to certain EU regulations. In the case of data transfer from the EU to the USA, the US service provider needs to apply to the so called “Safe Harbor Principle”.
In general, the World Privacy Forum provides a helpful guide called Privacy in the Clouds detailing the risks and problems relating to privacy and cloud computing.
Reliability
Not far behind security is the issue of reliability. One of the key characteristics of cloud computing is the Internet as the main transport mechanism – with all its notorious bottlenecks (e.g. response time, latency and packet-loss). How can an organization using cloud services be certain that it obtains and maintains acceptable service levels? Pobably, by securing access through managed networks, e.g. MPLS, and/or using overlay network from network providers like Akamai. Within their own domain, cloud service providers usually comply to strict operational policies and measures to minimize failures or outages in their systems. Automatic fail-over and self-healing infrastructure of virtualized components aids to increase reliability and redundancy.
Lock-in
Finally, many CIOs/IT managers are afraid that by choosing a particular cloud service provider, they will enter a “lock-in” situation with that particular vendor. Due to the lack of standardization, most of the current cloud vendors have implemented and deployed proprietary solutions that lack interoperability with each other. This is a big problem, although some analysts, like David Linthicum at InfoWorld in a blog post “The data interoperability challenge for cloud computing”, are suggesting that in 2010 this issue will be addressed to drive cloud computing adoption. Some cloud related standard organizations, like the Open Cloud Consortium, are working on interoperability standards for cloud computing and frameworks for interoperating between clouds. When this has been resolved, a lock-in situation is less likely to occur and the CIO/IT manager can evaluate vendors in terms of their interoperability levels.
Tags: , .