IT Security is well researched and matured area. The reason why we have enterprises doing commerce over the web today is because IT Security practices, tools and technologies have matured to establish the trust and have overcome the concerns. As with most new technology paradigms, security concerns surrounding cloud computing have become the most widely talked about inhibitor of widespread usage as discussed in my previous post.
To gain the trust of organizations, cloud services must deliver security and privacy expectations that meet or exceed what is available in traditional IT environments. Let us discuss what’s are the Top Security Concerns when it comes to cloud.
Transparency or Less Control
If we look at the security and privacy domains in cloud, they are no different from the traditional domains. We need to secure the infrastructure, network, endpoints, applications, processes, data, and information and overall have a governance to mitigate the risk and meet the compliance. But in a cloud environment, access expands, responsibilities change, control shifts, and the speed of provisioning resources and applications increases - greatly affecting all these aspects of IT security. The different cloud deployment models like the public, private and hybrid clouds also change the way we think need to about security. The responsibilities are spread across Consumer, Service Resellers and Providers. The immediate risks of these shared responsibility is that nobody gets a holistic view of the security and so less customization of any security controls. Consumers need visibility into day-to-day operations as well as need access to logs and policies. The aspect of less visibility or transparency is mostly the top most concern shared universally.
Data and Information Security
The next primary concern that customers mention related to security on the cloud is related to data and information security. The specific concerns include
- Protection of intellectual property and data
- Ability to enforce regulatory or contractual obligations
- Unauthorized use of data
- Confidentiality of data
- Availability of data
- Integrity of data
A shared, multi-tenant infrastructure increases potential for unauthorized exposure especially in the case of public-facing clouds. Security Administrators need to worry about designing security for applications and data that are publically exposed which can be potentially accessed by anybody on the internet.
Different industries and geographies have different regulations and rules that they need to comply to depending on the workloads and data they put on the cloud. Complying with SOX, HIPAA and other regulations are one risk or issue because of which customers are not ready to put their applications on the cloud. Cloud or no cloud for these sort of workloads comprehensive auditing capabilities are essential.
Security Management - Methods and Tools
Finally customers would need to know how today’s enterprise security controls are represented in the cloud. They need to understand how the security events are monitored correlated and actions taken when needed to keep their infrastructure, workload and data safe. Security coming on the way of high availability is another key concern. IT departments worry about a loss of service should outages occur because of security reasons. If so, when running mission critical applications how soon you can get the environment back at the same level of security is the priority.
Until all of these concerns are addressed and without strong availability guarantees, customers may not be ready to run their apps in the cloud. But things are not that bad as we might think. We will discuss how these aspects can be addressed and what tools and technologies to put to use in the subsequent posts.
Meanwhile I recommend that you read this very interesting whitepaper on “Cloud Security Who do you trust?” which discusses all of these aspects in detail as well as the different security challenges that security introduces.