Cloud computing has become the buzz word of the infosec world now. There are 'n' number of definitions for it and so i would not list them here. Topics discussed along with cloud computing are related to the advantages it brings in to enterprises or the issues/challenges to be faced with it. Among others, security and compliance are hot topics discussed often.
Let us take the service models in cloud and try to see if there are any security and compliance challenges there. The service models in cloud are SaaS (Software as a Service), PaaS (Platform as a Service), IaaS (Infrastructure as a Service).
In SaaS everything like infrastructure, network, servers, storage, application is owned by provider, the consumer may have limited user-specific permissions. Taking email SaaS as an example, the consumer would just need a web browser to access the service. The consumer should trust the provider for the service being accessed. Secure connection and encryption are the steps to be taken by the provider to establish it. Next challenge is with 'Muti tenancy' support by which the provider manages multiple instances of service for different consumers. The provider is guided by data protection, privacy, retention related regulations and frameworks to comply here.
In PaaS the consumer has control over the application deployed which is developed using provider's platform and some application hosting configurations. Trust and compliance issues as in SaaS apply here too. The consumer is also responsible for ensuring secure inter component communication with the application deployed.
In IaaS the consumer has capabilities to control fundamental computing resources and can deploy software in it. Its certain that trust, multi tenancy, encryption and compliance are key concerns in all the service models.
Next, is the different deployment models in cloud which are Private cloud owned by an enterprise, Community cloud which is shared for specific community, Public cloud which is sold for public and Hybrid cloud which is a composition of two or more clouds. Clearly security requirements, policy and compliance considerations increase for deployments starting from private to hybrid models. Cloud providers here are responsible to protect data. Important laws like HIPAA and GLBA requires the organization to safeguard the data. Also cross border data transfer should consider EU data protection drive or safe harbor which requires at minimum where the data is going to be and its implications. Data security law like Massachusetts requires providers or any third party to maintain security measures for personal information data. Encryption is another requirement to be addressed by the providers. Handling compliance here is related to meeting FISMA, HIPAA, SOX, PCI and SAS 70 Audits by the providers.
Organizations and governments have taken initiatives to address security and compliance challenges in cloud. It is evident that most cloud require strong security controls. As there can not be one cloud which fits all there would be many standards coming up and guide the providers and consumers for taking cloud computing to next level.
No comments:
Post a Comment