Experts warn that there is still insufficient attention paid to security when it comes to the newfangled, more and more an emerging trend of “IT - Cloud Computing”. What are the main reasons for the choice made in favor of the clouds? The answer is obvious: in the first place, it is economical and easy to use.
In a broad sense, “cloud computing” is outsourcing data previously placed on personal computers. If you use e-mail services, such as Gmail, or if you have an account with social networking sites, then you’re already using cloud computing, since your data is stored and processed on remote dedicated servers. The main advantage of such an organization working with data is their availability in any place where there is Internet access.
In terms of corporate consumer cloud technologies enable growing businesses to reduce IT costs by reducing the budgets for the purchase of hardware and software necessary for processing and storing information.
Private users, for example, can upload pictures or documents to the cloud, using services such as Flickr or Google Docs, and access them from home, internet cafe, or, for example, with a variety of portable devices.
“Cloud” mechanisms and principles of treatment, storage, and access to it, of course, are very comfortable and profitable. However, according to experts, the main problem is that the user has no idea of who, where and how to manage the infrastructure, ensuring the safety of information. The user does not know whether in fact, data is protected or not. He has no confidence in the fact that his information will not disappear or will not be disclosed at some point.
Many studies show that despite the increasing popularity of outsourcing of IT resources, half of the heads of organizations are extremely concerned about the issues of information security and what are the potential threats to virtualized computing environments that can create the problem, whose solution requires an integrated approach.
Having its own IT infrastructure, companies take their own security measures for protection, for example, using tools such as network filters and antivirus software. If the data is stored and processed in the external environment, the security issues are beyond the control of the owners of the data.
Currently there are no official regulations that would regulate the safety issues for suppliers of cloud solutions and services, through which the user can be completely confident that the security of its data is provided properly.
Virtualization technologies not only reduce costs and save energy consumption, but also generate a lot of questions for data protection. In particular, the concentration of cloud technologies require a huge amount of information in a single space, which, in turn, can bring computer criminals of all shades and degrees. For example, in January of this year, the functioning of email service by Google was in jeopardy because of hacker attack.
With the development and popularization of cloud technologies, it can be expected that a new generation of malicious software will be developed that can serve as a significant reason to compromise themselves, and cloud services providers offering services.
Finally, of particular concern in the development of cloud technologies is the possibility of interference with privacy of service users. For example, various governmental and other entities are much easier to gain access to user data stored in the cloud, rather than the data that the user stores locally. Such examples are already there. For example, many lenders are using social networks as a tool to find debtors.
While in recent months, access to applications is offered in pay per use model, being hosted on shared data centers (which is known as cloud computing), (arguments) continue flying over the issue of security as a recurring objection to the general expansion of the use of the cloud.
Without wishing to deny the existence of risks, try to propose the following hypothesis: will have to set optimal levels of security that do not impede or complicate access and use of software applications and services.
There is a maximum security level, which is credited with 100% confidence that there will be no risks: always keep your computer off.
Most studies conclude the existence of quasi-apocalyptic risks that are computer security companies or service providers that impact on their levels of safety and business case.
Those who seem to have the most spyware code distributed around the world are governments, who in turn create the laws for the security checkpoint.
The group of non-internet users is precisely the one that seems to have security issues.
The setting of restrictions on access to internet sites has meant that, in most large organizations, employees have not been able to access critical information necessary for their work when they are needed.
The use of antivirus, antispam, … and other security services consume much resources and slow down the PC so that large numbers of personnel management and maintenance of networks and teams in organizations chose to uninstall them and have a copy of their data and their applications, which are immediately restored on regular basis.
While centers reported that high level of security has localized malware code, which is not on specific devices, internal network or don’t know what type of malware it is, so presumably it exists, but their relation to any risk of physical security is virtually nonexistent.
The greatest risk for loss of information lies in overheating of the machine where it is stored. I would not be mistaken if I say that the control measures and physical security of any data center operating internet is much higher than any company that maintains the machines on their premises.
The above statement is also valid for the control and limitation of physical access to machines.
According to studies, revenue in the area of “cloud computing” technologies in 2013 will amount to 150 billion dollars. Many businesses have already implemented the transfer of corporate data in the cloud, many more companies are going to do it soon, but a lot of people are worried about the security of data stored in the cloud. Of course, no one can guarantee absolute security in any computing environment, however, the transition to “cloud” technology can take certain measures to help in reducing the risk of data loss to a minimum. For example, when choosing cloud providers, it is important to look not only at firms’ pricing power, but also implemented its security protocols. It is important to understand that the transition to “cloud” technologies may be safer than the standard internal solutions as the industry has invested billions of dollars in information security.
In public, the cloud system end-user has a high level of automation. Customers can place their applications in the cloud and manage all the user settings of your services. Public “cloud” has no such visibility as a private cloud has. If you are using a public “clouds” you give the placement of computing resources in to control. In particular the “cloud” resources are used by fewer people and they have a higher level of management. Depending on these differences to safety management in these environments, specific practices.
The first and most important step is the installation procedure of authorization. For the selection of the password, it requires randomization procedure and the need for strict adherence to protocols that create passwords for all staff. It’s amazing, but many people still use words like “password” or a combination of digits “12345″ as a password to access key data sources. Application of the standard LDAP and administrator credentials you can really protect your information.
Having dealt with the internal procedures of authorization, you should pay close attention to outsourcing partners. Whether they are holding your security protocols and perform background checks, whether they are complying with any other measures that protect and control the transmission of information. Information sharing is crucial, especially in the case of public computing environments. Providers must use the best encryption tools to keep your information safe and in usable condition. They must also provide administration services to the highest level, including installing firewalls and advanced detection of network attacks.
Legal aspects of data storage in the cloud hosting
There are many legal problems connected with the storage of information, especially data identifying a person. Despite the fact that information is in the cloud, it is still somewhere to be placed and there are rules that govern its movement. In some countries, such as India, imposed very strict requirements for safety information, which limit the storage and movement of information. Choose a provider who is knowledgeable about these rules, and could, if necessary, too quickly move your information to comply with these requirements. According to a study, more than forty states have official regulations governing the methods of protection of personal data (PII). Should give preference to well-known providers of cloud services, which have systemic means of controlling the movement of PII under its “cloud” network.
Many cloud providers enter the market, not having sufficient experience in the field of human resources policies and technologies. That is why in order to obtain a comprehensive understanding of the work of a company, should ask more than a dozen issues. One of the most important – the question of who will have the right to access and transfer your information. Whether they will notify you about any breach of security, or just hide them.
Does this outsourcing company allow you to optionally create an emergency data center for disaster?
The contract may provide higher levels of encryption standards for data storage. In addition to this “cloud” provider should be familiar with the work of any other suitable provider of SaaS and its technologies. Your business depends on many different outsourcing companies, one way or another address with your information, so it is important that the information management system have no weak links.
Outsourcing companies need to adhere to certain standards, assigning passwords that reduce the likelihood of hacking. In the case of multiplayer “cloud” above average risk, and therefore cloud providers must show that they use management tools that provide separation to reduce the risks.
Achieving a high level of safety in public and private “clouds” requires confidentiality requirements and user access. New solutions for information storage and management come to market fairly quickly, and as these tools are introduced, users will get additional protection for their information.
Each time the subject arises in a Cloud Computing meeting, the issue of security comes first. So it was natural that I return to discuss this topic. In this second part, I will address the external providers of infrastructure to IaaS cloud providers. Following the first part , in which we talked a bit about the practice of security in the clouds and the future of this issue.
Analyzing Providers and Security Levels
For IaaS providers, the first reminder is that they are not equal. That is, each provider, despite the apparent similarities of the security features when looking at the matter superficially, offering very different levels of security when we delve into the analysis.
It’s inevitable. The experience, training and financial power behind the corporate DNA of each provider will translate into different safety management processes.
A hosting provider aimed at individuals and small businesses, who acted as cloud providers, lacks the experience of another company that is dedicated from years to outsource services to companies outsourcing extremely demanding on safety, such as banks and operators of credit cards.
Are there appropriate technologies to mitigate the effects of DDoS (Distributed Denial of Service)? What are the resources offered by the provider for intrusion detection? What resources are available to ensure isolation of virtual machines from different clients that share the same physical server?
Another aspect that must be analyzed in external providers is the issue of IAM (Identity and Access Management). I suggest you to validate how employees access the provider’s own virtual machine.
Limits and Authorizations For Access To Data
Employees of the provider have access to operational activities such as debug or update patches, is such access audited and traceable? In the case of access by customers, the ISP has procedures to ensure that only authorized users access virtual machines such as clients.
In addition, commercial speech may induce some additional confusion. Many providers argue that by having a level of auditing SAS 70 Type II will be absolutely safe. Not true, because the SAS 70 does not review the effectiveness of processes and security controls, but only checks if such procedures exist and are documented.
Another confusion arises when looking towards the provider requirements. Often, the provider meets only part of the requirements and it can happen that such shares are not up to the level of compliance of your company.
Thus, not enough to know that the provider is compliance with SOX or PCI DSS (Payment Card Industry Data Security Standard). You need to check carefully whether the level of compliance is appropriate to the needs.
Infrastructure and Responsibility for The Cloud Providers
In the end, although the cloud providers processes and controls adequate security, your company is ultimately responsible for security. In the case of (IaaS) cloud, do not forget we’re talking about virtual servers, and logical access control to applications and data is the responsibility of the users of the cloud and not the provider.
What does all this mean? Simple. Responsibility for the resilience of the cloud is shared by both the provider and its customers. The provider has to ensure the resiliency of data centers and servers. The applications are the responsibility of the company.
After evaluating all these procedures, the final message is to carefully evaluate the cloud providers, filter and analyze commercial speech in detail the processes and security controls offered.
In lectures and meetings on the topic of Cloud that always stands out among the debates is safety. Indeed, the question on security and fear of novelty is common and has always happened.
When in the early 90s of last century, the subject was the adoption of client-server model, the questioning was similar. The same happened when we began to speak in electronic commerce and still there is great fear of letting the use of credit cards over the Internet.
Today, the safety theme also permeates the discussion of major release or not the use of smartphones and social media in business. Anyway, it’s a natural discussion in my opinion.
Later, as the adoption of cloud spread, ie, after overcoming these concerns about the safety issues that will guide the events and discussions about cloud will be integrated (how to integrate different applications in cloud computing and with applications that are not cloud) and later still, we will have discussions on e-Governance. But as today’s most prominent theme is safety, we’ll explore it a bit more in this article.
Processes and changes
Methods and procedures for security change every time the computer model changes. It was so when the client-server and many of the methods were adopted for centralized environments have become useless.
This happened when the Internet became an integral part of business processes and methods adopted for internal security have proved inadequate and had to be modified. With the adoption of cloud, history is repeating itself. We have to rethink many of the security processes currently used.
However, when talking about security in cloud, we have to separate the public and private clouds. In addition, policies and hence the methods and security procedures adopted differ from company to company, as the risk tolerance is different in different companies and industries.
In private clouds, security policies are already adopted by the company, and already updated to the new model. In public clouds, the security policy is subject to the methods and processes adopted by the cloud provider.
Certifications, costs and technologies
The security concerns are paramount to the success of any provider of public clouds and they, at least those who have sufficient intellectual and financial capital, implement processes, methods and technologies to strengthen security.
Moreover, many seek to pass through external audits as SAS 70 and official certifications as ISO 27001 . In the U.S. and Europe, there is also the quest for compliance with FISMA (Federal Information Security Management Act) for projects with the U.S. government, Payment Card Industry Data Security Standards for transactions involving credit cards and European Data Privacy Directives for operations with European companies .
On the other hand, less tolerant of risks companies choose to adopt private clouds for their critical systems, using only public clouds for applications that do not involve risks to business.
Indeed the adoption of cloud happens when the perceived value by the new model exceeds the perception of their risk. Cloud should be adopted not only by reducing costs, but the speed and flexibility that allows the company to innovate and create new products and services supported by IT.
Adoption and review processes and methods
Adopting cloud means reviewing its processes, methods and security technologies. For clarity, we divide the security issue in different aspects such as:
The analysis of these points is going to set the pace of adoption of cloud and the cloud will be private, public or hybrid. For example, in the inquiry audit, SAS 70 procedures were not fully prepared for cloud and is now working in 16 SASE as a replacement.
As the concept of cloud evolves, new processes and security technologies will emerge and we will see a virtuous circle. These new technologies will bring more confidence to the use of cloud, which will increase its spread and thus more spread, there will be more new and innovative security technologies, by rotating the circle.
Changes in market
As a sign of maturity of the market, we started seeing the first efforts in setting safety standards. These patterns allow classification consistently on the security solutions offered by both private clouds, and especially the public cloud providers.