Because outsourced or hosted cloud services often bypass the physical, logical and personnel security controls of traditional in-house systems, cloud technology has been accused of exposing organisations to unnecessary security risks.
It is accepted that cloud technology has created a new set of challenges for security professionals to protect the platforms that deliver cloud services.
Security is not possible without transparency, which is becoming one of the most important essentials for new cloud technology adopters. Users need to have detailed information on cloud service providers that should be able to provide a transparent means for them to monitor the flow of corporate data and its storage locations at all times.
On guard
Today it is vital for any organisation looking to migrate its IT infrastructure and services to the cloud, to first invest in systems encompassing authentication/authorisation and endpoint security validation to protect confidential data and sensitive information from compromise in the cloud.
To achieve these goals, a parallel infrastructure may be required, which is capable of analysing and reporting on system and application activity in the cloud while auditing the delivery of cloud computing services.
A challenge for cloud service providers is to design and apply such an infrastructure capable of handling the large amounts of data and millions of messages per second that will be generated.
Going some way to meet this challenge are new software developments designed to offer significant gains in transparency. For example, there are systems now available capable of measuring the performance of applications deployed by cloud service providers. They are increasingly being viewed as essential to the cloud fabric.
As these systems gain in maturity and sophistication, it will be possible to access up-to-the-minute network performance statistics on cloud computing service providers without their input.
Against this backdrop, the Cloud Security Alliance (CSA), a US-based non-profit organisation, recently adopted CloudAudit as a project to promote the use of best practices in the cloud.
According to the CSA, CloudAudit is a volunteer, cross-industry effort from the best minds and talent in cloud, networking, security, audit, assurance and architecture backgrounds.
Cloud checks
Cloud technology has been accused of exposing organisations to unnecessary security risks.
Martin May is regional director of Enterasys Networks.
CloudAudit's charter is to provide a common interface that allows cloud technology users to verify that the security they expect is being delivered via an open, extensible and secure set of interfaces - via the audit, assertion, assessment, and assurance API, or 'A6' API.
The CSA is also working on several projects aligned with CloudAudit. These include CSA Controls Matrix, which provides fundamental security principles to guide cloud vendors and potential customers in assessing the overall security risk of cloud service providers, and the Consensus Assessment Initiative, launched to provide research and tools essential to the preparation of fully transparent cloud computing assessments.
Looking ahead, one of the CSA's key initiatives for 2011 is CloudSIRT, a programme introduced under the auspices of a number of service providers, designed to address the future of collaborative incident response and information sharing in the cloud.
According to the CSA, Computer Security Incident Response Teams (CSIRTs) have worked well for handling malicious activity on the traditional Internet, and will form the core of co-ordinated incident response and computer security information sharing for governments and large enterprises on a global basis.
Against this backdrop, industry watchdogs in the US are warning cloud computing service providers 'to get their houses in order' in terms of privacy and security, or face the prospect of regulatory intervention by the US Congress to ensure transparency.
Already, there are initiatives in place to beef up privacy protection laws in the US that are expected to have global implications, particularly in terms of prosecuting cyber criminals operating beyond the US borders. A key element of the initiatives is to place monetary values on stolen or compromised data and information, including e-mails and digital images.
This increasing emphasis on transparency as an essential cloud computing element will go a long way towards equipping the cloud community with the ammunition needed to respond appropriately to vulnerabilities and threats - and in so doing, enhance user trust in cloud computing.
While the IT industry may be a year or two away from absolute transparency in the cloud, one-by-one the veils are being lifted to reveal another layer of computing services capable of being successfully managed and measured - as all the others are.
Share