This topic offers a broad overview of Cloud Security and specifically examines the differences between the cloud and conventional IT environment, definitive security concerns in a cloud environment access control, integrity, availability and compliance, a descriptive process for acquiring cloud services, examples of government and commercial cloud initiatives and links for further reading.
The Introduction section emphasizes the viewpoint and cultural change necessary and the understanding required when moving from a user controlled conventional IT environment to a third-party-controlled cloud environment.
The Concerns section, while acknowledging the many benefits of moving to the cloud, outlines the areas of cloud security concerns and emphasizes that users are responsible for the security of their own information and applications.
The Access Control section is the first of four sections detailing cloud security concerns. Fundamentally, access control limits who can access user information. This page details the many levels of access, the ways in which those levels are delineated, and the users responsibility for and participation in the on-going process of maintaining access control.
The Integrity section refers to the process of ensuring that user data that resides in the cloud is not altered or deleted and cloud-run applications are operating properly. The process includes technical means (primarily encryption) and operational means (primarily log creation and maintenance). Again the users responsibility for overseeing and participation in the process is emphasized.
The Availability section relates to ensuring that information is accessible to the intended users when needed. The three primary and inter-related focuses are Backups of information and systems, Disaster Recovery, and Continuity of Operations.
The Compliance section contains discussions of several topics including that it is the users responsibility to: ensure his data in the cloud remains compliant to all applicable laws, industry standards and regulations; be responsible for ensuring that the cloud Intrusion Detection Systems (IDS) and Security Information and Event Management systems (SIEM) are operating effectively; and to ensure a positive end-user experience in all cloud operations.
The Acquisition of Cloud Service section is primarily focused on the requirement levied on the user to research cloud computing in depth, particularly security issues; to educate both the IT and Business sides of the organization on cloud benefits and the remaining responsibility and tasks before making a decision to move to the cloud; and be prepared to ask in depth questions and demand transparent replies of every cloud provider contacted.
The Government Initiatives section provides information concerning government initiatives to lead the movement of operations of all types to the cloud. This section also includes descriptions of standards and certifications in place for cloud security. In addition, there is a list and short description of the several large-market commercial cloud providers some of whom are also providing government cloud services.
The movement to the Cloud and cloud computing is over 10 years old. Moving from conventional IT operations in small and large operations has been trending upward year over year for most of that time. Cloud computing has learned a lot, improved operations and added many capabilities over that time period. In the same time frame cloud computing has had great success it has had large failures and the accompanying bad press due to hackers, breaches, stolen and compromised information. Generically these failures are the result of inadequate, even flawed security. The security issue remains a primary concern of the Cloud provider. But just because it is of concern for them for their own reasons, they do not have the same concerns as the user whose information and business is directly affected. As stated many times in this Topic, the user must actively and continuously participate in all the cloud providers security processes.
There is no question that, under the right circumstances and with a complete understanding of the issues and knowledge of the cultural changes and remaining security responsibilities incurred with a decision to move to the cloud, it is the right thing to do. The caveat to this statement is that the user of a cloud computing service is responsible for the protection of their own information and must take action to protect their information and applications.