Cloud computing security
Cloud computing security (sometimes referred to simply as "cloud security") is an evolving sub-domain of computer security, network security, and, more broadly, information security. It refers to a broad set of policies, technologies, and controls deployed to protect data, applications, and the associated infrastructure of cloud computing. Cloud security is not to be confused with security software offerings that are "cloud-based" (a.k.a. security-as-a-service). Many commercial software vendors have offerings such as cloud-based anti-virus or vulnerability management.
- 1 Security issues associated with the cloud
- 2 Dimensions of cloud security
- 3 Security and privacy
- 4 Compliance
- 5 Legal and contractual issues
- 6 References
Security issues associated with the cloud
There are a number of security issues/concerns associated with cloud computing but these issues fall into two broad categories: Security issues faced by cloud providers (organizations providing Software-, Platform-, or Infrastructure-as-a-Service via the cloud) and security issues faced by their customers. In most cases, the provider must ensure that their infrastructure is secure and that their clients’ data and applications are protected while the customer must ensure that the provider has taken the proper security measures to protect their information.
Dimensions of cloud security
While cloud security concerns can be grouped into any number of dimensions (Gartner names seven while the Cloud Security Alliance identifies thirteen areas of concern) these dimensions have been aggregated into three general areas: Security and Privacy, Compliance, and Legal or Contractual Issues.
Security and privacy
To be considered protected, data from one customer must be properly segregated from that of another; it must be stored securely when “at rest” and it must be able to move securely from one location to another. Cloud providers have systems in place to prevent data leaks or access by third parties. Proper separation of duties should ensure that auditing and/or monitoring cannot be defeated, even by privileged users at the cloud provider.
Every enterprise will have its own identity management system to control access to information and computing resources. Cloud providers either integrate the customer’s identity management system into their own infrastructure, using federation or SSO technology, or provide an identity management solution of their own.
Physical and personnel security
Providers ensure that physical machines are adequately secure and that access to these machines as well as all relevant customer data is not only restricted but that access is documented.
Cloud providers assure customers that they will have regular and predictable access to their data and applications.
Cloud providers ensure that applications available as a service via the cloud are secure by implementing testing and acceptance procedures for outsourced or packaged application code. It also requires application security measures (application-level firewalls) be in place in the production environment.
Finally, providers ensure that all critical data (credit card numbers, for example) are masked and that only authorized users have access to data in its entirety. Moreover, digital identities and credentials must be protected as should any data that the provider collects or produces about customer activity in the cloud.
Numerous regulations pertain to the storage and use of data, including Payment Card Industry Data Security Standard (PCI DSS), the Health Insurance Portability and Accountability Act (HIPAA), the Sarbanes-Oxley Act, among others. Many of these regulations require regular reporting and audit trails. Cloud providers must enable their customers to comply appropriately with these regulations.
Business continuity and data recovery
Cloud providers have business continuity and data recovery plans in place to ensure that service can be maintained in case of a disaster or an emergency and that any data lost will be recovered. These plans are shared with and reviewed by their customers.
Logs and audit trails
In addition to producing logs and audit trails, cloud providers work with their customers to ensure that these logs and audit trails are properly secured, maintained for as long as the customer requires, and are accessible for the purposes of forensic investigation (e.g., eDiscovery).
Unique compliance requirements
In addition to the requirements to which customers are subject, the data centers maintained by cloud providers may also be subject to compliance requirements.
Legal and contractual issues
Aside from the security and compliance issues enumerated above, cloud providers and their customers will negotiate terms around liability (stipulating how incidents involving data loss or compromise will be resolved, for example), intellectual property, and end-of-service (when data and applications are ultimately returned to the customer
Legal issues may also include records-keeping requirements in the public sector, where many agencies are required by law to retain and make available electronic records in a specific fashion. This may be determined by legislation, or law may require agencies to conform to the rules and practices set by a records-keeping agency. Public agencies using cloud computing and storage must take these concerns into account.
- ^ "Cloud-based Security Software Directory". Mosaic Security Research. https://mosaicsecurity.com/categories/7-securityasaservice.
- ^ ""Swamp Computing" a.k.a. Cloud Computing". Web Security Journal. 2009-12-28. http://security.sys-con.com/node/1231725. Retrieved 2010-01-25.
- ^ ""Thunderclouds: Managing SOA-Cloud Risk", Philip Wik". Service Technology Magazine. 2011-10. http://www.servicetechmag.com/I55/1011-1. Retrieved 2011-11.
- ^ "Gartner: Seven cloud-computing security risks". InfoWorld. 2008-07-02. http://www.infoworld.com/d/security-central/gartner-seven-cloud-computing-security-risks-853. Retrieved 2010-01-25.
- ^ "Security Guidance for Critical Areas of Focus in Cloud Computing". Cloud Security Alliance. 2011. https://cloudsecurityalliance.org/research/projects/security-guidance-for-critical-areas-of-focus-in-cloud-computing/. Retrieved 2011-05-04.
- ^ a b "Cloud Security Front and Center". Forrester Research. 2009-11-18. http://blogs.forrester.com/srm/2009/11/cloud-security-front-and-center.html. Retrieved 2010-01-25.
Wikimedia Foundation. 2010.
Look at other dictionaries:
Cloud computing — logical diagram Cloud computing is the delivery of computing as a service rather than a product, whereby shared resources, software, and information are provided to computers and other devices as a utility (like the electricity grid) over a… … Wikipedia
Cloud Computing — Abstrahierter Wolkenumriss umschließt Namen in Ellipsen von Cloud Computing Diensteanbietern. Cloud Computing (selten auch: Rechnerwolke) umschreibt den Ansatz, abstrahierte IT Infrastrukturen (z. B. Rechenkapazität, Datenspeicher,… … Deutsch Wikipedia
Cloud computing — Les principaux acteurs du cloud computing Le cloud computing, informatique en nuage ou infonuagique est un concept qui consiste à déporter sur des serveurs distants des traitements informatiques traditionnellement localisés sur des serveurs lo … Wikipédia en Français
Cloud Computing Manifesto — The Cloud Computing Manifesto is a manifesto containing a public declaration of principles and intentions for cloud computing providers and vendors, annotated as a call to action for the worldwide cloud community and dedicated belief that the… … Wikipedia
Cloud-Computing — Schematische Darstellung Cloud Computing (Synonym: Cloud IT, deutsch etwa Rechnen in der Wolke) ist ein Begriff aus der Informationstechnik (IT), oder genauer aus dem IT Management. Der IT Management Aspekt ist wichtig, da es sich nicht um eine… … Deutsch Wikipedia
Mobile cloud computing — is the usage of cloud computing in combination with mobile devices. Cloud computing exists if tasks and data are kept on the internet rather than on individual devices, providing on demand access. Applications are run on a remote server and then… … Wikipedia
Nimbus (cloud computing) — Nimbus Developer(s) Kate Keahey, Tim Freeman, et al. Initial release TP2.2 2009 01 09 Written in Java, Python Operating system Linux … Wikipedia
Cloud storage — is a model of networked online storage where data is stored on virtualized pools of storage which are generally hosted by third parties. Hosting companies operate large data centers; and people who require their data to be hosted buy or lease… … Wikipedia
Cloud communications — are Internet based voice and data communications where telecommunications applications, switching and storage are hosted by a third party outside of the organization using them, and they are accessed over the public Internet. Cloud services is a… … Wikipedia
Cloud API — Cloud APIs are application programming interfaces (APIs) used to build applications in the cloud computing market. Cloud APIs allow software to request data and computations from one or more services through a direct or indirect interface. Cloud… … Wikipedia