In addition to the usual challenges of developing secure IT systems, cloud computing
presents an added level of risk because essential services are often outsourced to a third
party. The externalized aspect of outsourcing makes it harder to maintain data integrity and
privacy, support data and service availability, and demonstrate compliance.
In effect, cloud computing shifts much of the control over data and operations from the client
organization to their cloud providers, much in the same way organizations entrust part of their
IT operations to outsourcing companies. Even basic tasks, such as applying patches and
configuring firewalls, can become the responsibility of the cloud service provider, not the user.
This means that clients must establish trust relationships with their providers and understand
the risk in terms of how these providers implement, deploy, and manage security on their
behalf. This trust but verify relationship between cloud service providers and consumers is
critical because the cloud service consumer is still ultimately responsible for compliance and
protection of their critical data, even if that workload had moved to the cloud. In fact, some
organizations choose private or hybrid models over public clouds because of the risks
associated with outsourcing services.
Other aspects about cloud computing also require a major reassessment of security and risk.
Inside the cloud, it is difficult to physically locate where data is stored. Security processes that
were once visible are now hidden behind layers of abstraction. This lack of visibility can create
a number of security and compliance issues.
In addition, the massive sharing of infrastructure with cloud computing creates a significant
difference between cloud security and security in more traditional IT environments. Users
spanning different corporations and trust levels often interact with the same set of computing
resources. At the same time, workload balancing, changing service level agreements, and
other aspects of today's dynamic IT environments create even more opportunities for
misconfiguration, data compromise, and malicious conduct.
Infrastructure sharing calls for a high degree of standardized and process automation, which
can help improve security by eliminating the risk of operator error and oversight. However, the
risks inherent with a massively shared infrastructure mean that cloud computing models must
still place a strong emphasis on isolation, identity, and compliance.
Cloud computing is available in several service models (and hybrids of these models). Each
presents different levels of responsibility for security management. Figure 1 on page 3 depicts
the different cloud computing models. READ MORE>