Cloud computing can be extremely attractive to many organizations seeking a convenient way to use, scale and maintain computing resources. However, the issues of privacy and security that challenge cloud service vendors can actually dissuade customers from moving to the cloud. This article takes a look at some real examples of the disadvantages of the cloud, and examines some considerations and standards that both vendors and customers ought to consider.
It seems like everywhere you look, there are examples of cloud blunders. In recent months, there have been numerous examples of high-profile tech giants making huge errors and causing privacy and security mess-ups for customers in the cloud. In mid-May 2011, Microsoft Exchange Online, its cloud-based email service experienced a huge backlog. In certain cases, email messages were delayed from up to three to nine hours.
Around the same time, the Google Blogger service went offline, or was highly unreliable, taking thirty hours of posts and comments along with it. In this case, the Blogger team rolled back a scheduled maintenance, but failed to explain the problem for users in a timely manner.
In April of 2001, the Amazon cloud experienced major breakdowns, taking with it numerous Web 2.0 companies, software, social networks and other businesses. Affected services included the high-profile Quora, Reddit and Foursquare.
Reliability in terms of privacy and security promises is a significant cause of concern for businesses that have taken their IT infrastructure to the cloud. According to commenter Erik Sherman, “Your company becomes hostage to the vendor. Whenever there’s a technical incident or a sudden change in strategic direction, your company can’t easily shift service providers. That takes complex migration planning.”
With so many companies taking to the cloud, it’s important for cloud computing vendors to be able to establish, maintain and restore trust in individuals and corporations. Whatever problems are facing the cloud service provider will inevitably trickle down to the cloud customer. Customers demand reliable hardware and software without making sacrifices on performance, availability or security.
Experts argue that the perception of competence – that is, being able to assure privacy and security – will be one of the major deciding factors between vendors that succeed and vendors that fail.
NIST on Security and Privacy Issues
NIST (the National Institute of Standards and Technology) has identified various security challenges inherent to the cloud. These are particularly prevalent in public clouds, whose infrastructure and resources are owned by an outside party responsible for selling such services to the general public. The main security and privacy issues and precautions identified in the NIST study on Security and Privacy in Public Cloud Computing are as follows:
- Governance – Organizations practices affecting policies, procedures and standards used for application development and service provisioning should be extended to the cloud. There should be audit mechanisms and tools available to ensure that organizational practices are being complied with throughout the system lifecycle.
- Compliance – What types of laws and/or regulations exist that may impose security and privacy obligations on the organization? Which laws and/or regulations would impact cloud computing initiatives (e.g. data location; privacy and security controls; and e-discovery requirements)? The vendor’s offerings should be compared to the organization’s requirements to ensure that the contract terms meet organizational policy, laws and regulations.
- Trust – There should be mechanisms embedded in the service contract which allow visibility into security and privacy controls; processes being employed by the vendor; and the performance of such processes over time. A risk management program should also be implemented. Such a program must be flexible enough to adjust to the continually changing risk landscape.
- Architecture – What are the underlying technologies being used by the vendor in order to provision its services? What are the implications of the technical controls on the security/privacy of the system?
- Identity and Access Management – Are there adequate safeguards to secure authentication, authorization and other identity and access management functions?
- Software Isolation – Organizations need to understand virtualization, along with other software isolation techniques that the vendor employs. The associated risks must also be assessed.
- Data Protection – Are the vendor’s data management solutions suitable for the organizational data at hand?
- Availability – During an intermediate or prolonged disruption, or a serious disaster, can critical operations be assumed immediately? In such situations, can all operations be eventually reinstituted in a timely, organized manner?
- Incident Response – Organizations need to understand and negotiate contract provisions and procedures for incident response.
As a result, NIST has released a number of guidelines which are meant to help vendors as well as potential or current customers ensure privacy and security in the cloud. These guidelines are summarized below:
- Plan security and privacy aspects of cloud solutions before they are engaged.
- Understand the public cloud computing environment offered by the cloud provider. Ensure that the cloud solution meets organizational security and privacy requirements.
- Ensure the client-side computing environment meets organizational security and privacy requirements for cloud computing.
- Maintain accountability over the privacy and security of data and applications implemented and deployed in public cloud computing environments.
This article takes a look at the issues of privacy and security in cloud computing. In recent weeks, there have been numerous cloud breakdowns experienced by large, high-profile vendors which have come into public scrutiny. These include the April 2011 Amazon cloud breakdown and the May 2011 Microsoft Exchange Online and Google Blogger shutdowns, which affected many users and organizations. The article then explores the NIST (National Institute of Standards and Technology) report, Security and Privacy in Public Cloud Computing, which identifies numerous security and privacy issues as well as recommended guidelines for addressing them.
CCSK Exam Preparation
In preparation for the Certificate of Cloud Security Knowledge (CCSK), a security professional should be comfortable with topics related to this post, including:
- NIST Definition of Cloud Computing (Domain 1)
- Contractual Security Requirements (Domain 2)
- Cloud Versus Outsourcing (Domain 3)
- Provider Selection (Domain 8)
- Key Management Best Practices (Domain 11)