In this, the 1st of 3 articles, we focus on the development of cloud security since 2008. Reviewing what have we learned about cloud security, the use of the cloud is accelerating.
A question presents itself with this acceleration — how is security keeping pace with everything in the Cloud? In this article, we are going to focus specifically on the statements provided by Garter in 2008. Though the experienced Cloud professional may see where the second installment is heading — I suggest you make your notes and then let’s compare them. Cloud is still a start-up industry, and everyone’s input is needed to mold what the Cloud of tomorrow will look like.
In June 2008, analyst firm Gartner noted that Cloud computing was fraught with security risks and they highly suggested getting a security assessment from a neutral third-party before committing to a cloud vendor. The reason for this was Cloud computing had “unique attributes that require risk assessment in areas such as data integrity, recovery, and privacy, and an evaluation of legal issues in areas such as e-discovery, regulatory compliance, and auditing.” (1)
Examples of cloud computing, which Gartner defined as a type of computing in which “massively scalable IT-enabled capabilities are delivered ‘as a service’ to external customers using Internet technologies (1)” were Amazon’s EC2 service and Google’s Google App Engine.
To verify that service and control processes were functioning as intended, and that vendors could identify unanticipated vulnerabilities, Cloud customers needed to demand…
For 2008, Gartner provided these 7 specific security issues that customers should raise with vendors before selecting a cloud vendor (2)…
1. Privileged user access. Sensitive data processed outside the enterprise brings with it an inherent level of risk, because outsourced services bypass the “physical, logical and personnel controls” IT shops exert over in-house programs. Get as much information as you can about the people who manage your data. “Ask providers to supply specific information on the hiring and oversight of privileged administrators, and the controls over their access,” Gartner says.
2. Regulatory compliance. Customers are ultimately responsible for the security and integrity of their own data, even when it is held by a service provider. Traditional service providers are subjected to external audits and security certifications. Cloud computing providers who refuse to undergo this scrutiny are “signaling that customers can only use them for the most trivial functions,” according to Gartner.
3. Data location. When you use the cloud, you probably won’t know exactly where your data is hosted. In fact, you might not even know what country it will be stored in. Ask providers if they will commit to storing and processing data in specific jurisdictions, and whether they will make a contractual commitment to obey local privacy requirements on behalf of their customers, Gartner advises.
4. Data segregation. Data in the cloud is typically in a shared environment alongside data from other customers. Encryption is effective but isn’t a cure-all. “Find out what is done to segregate data at rest,” Gartner advises. The cloud provider should provide evidence that encryption schemes were designed and tested by experienced specialists. “Encryption accidents can make data totally unusable, and even normal encryption can complicate availability,” Gartner says.
5. Recovery. Even if you don’t know where your data is, a cloud provider should tell you what will happen to your data and service in case of a disaster. “Any offering that does not replicate the data and application infrastructure across multiple sites is vulnerable to a total failure,” Gartner says. Ask your provider if it has “the ability to do a complete restoration, and how long it will take.”
6. Investigative support. Investigating inappropriate or illegal activity may be impossible in cloud computing, Gartner warns. “Cloud services are especially difficult to investigate, because logging and data for multiple customers may be co-located and may also be spread across an ever-changing set of hosts and data centers. If you cannot get a contractual commitment to support specific forms of investigation, along with evidence that the vendor has already successfully supported such activities, then your only safe assumption is that investigation and discovery requests will be impossible.”
7. Long-term viability. Ideally, your cloud computing provider will never go broke or get acquired and swallowed up by a larger company. But you must be sure your data will remain available even after such an event. “Ask potential providers how you would get your data back and if it would be in a format that you could import into a replacement application,” Gartner says.
In part 2 of this installment, we will see what Gartner says today — and what has changed — for better, for worse, and what is new. In part 3 and final installment, We will also provide our own analysis. With all the installments, we invite your feedback.
From the Gartner article in 2008, what do you see as improved? needs more work? What opportunities do you see from their 7 points noted above? Please share with us, we would love to know!
with credit to…
(1) June 2008 Gartner, “Assessing the Security Risks of Cloud Computing.”
(2) Inforworld: Gartner: Seven Cloud computing Security Risks by Jon Brodkin | Network World
image credits to the hris world
You must be logged in to post a comment.