Cloud security: The basics
The Cloud Security Alliance and others are working to define security requirements for SaaS, IaaS, and PaaS cloud computing models.
By Mary Brandel
June 15, 2010 — CSO —
Cloud computing is one of the most-discussed topics among IT professionals today. And not too long into any conversation about the most highly touted cloud models—software as a service (SaaS), infrastructure as a service (IaaS) or platform as a service (PaaS)—the talk often turns to cloud security.
According to Milind Govekar, an analyst at Gartner, cloud has rocketed up the list from number 16 to number two in Gartner's annual CIO survey of key technology investments. "Like with anything new, the primary concern is security," he says. In fact, the vast majority of clients who inquire about cloud, he says, would rather create a virtualized data center on their own premises—what some call a private cloud—because they're uncomfortable with the security issues raised by cloud computing and the industry's ability to address them.
"We are in the early stages of a fascinating journey into a new computing model that, for all its purported advantages, from a security and risk point of view, is a difficult thing to deal with," agrees Jay Heiser, an analyst at Gartner. "The things that make it easy and appealing—like the immediate plug-and-play productivity—also make it impossible to conclusively assess your relative risks." Current certifications, such as SAS 70 and ISO 27001 and 27002, are not sufficient, he says, leading to frustration for both buyers and sellers.
For this reason, securing cloud computing environments will be a major focus of vendor efforts over the next year, says Jonathan Penn, an analyst at Forrester Research. In the short term, he sees users having to do a lot of the legwork, but over time, "cloud providers themselves will see the opportunity to differentiate themselves by integrating security," he says. Security vendors accustomed to selling directly to the enterprise will find that they need these cloud providers as a way to reach the market, Penn says, and as the market matures, customers will want this stuff baked into the services they're buying. "That will be quite a radical change and a disruption," he adds.
In the meantime, organizations such as the Cloud Security Alliance (CSA) are working to put some shape around the security issues and the ways to address them. The CSA recently released a summary of the strategic and tactical security pain points within a cloud environment, along with recommendations on how to address them. The organization divided the domains into two broad areas: governance and operations.
Domains grouped under governance include:
- governance and ERM
- legal and electronic discovery
- compliance and audit
- information lifecycle management
- portability and interoperability
Domains grouped under operations include:
- traditional security, business continuity and disaster recovery
- data center operations
- incident response, notification and remediation
- application security
- encryption and key management
- identity and access management
The CSA also summarized the top threats of cloud computing, along with the cloud models each threat most pertains to and guidance for remediation.