I found this diagram as an easy way to explain, what additional security challenges cloud introduces to an organization. What is so different about it?
In my first blog on this topic, I would like to start with this perspective in simple and understandable overview. To continue this chain one can comment with specific solution in each of this area.
Security Governance, Risk Management and Compliance
In a cloud scenario, It is critical and important to demonstrate the Laws of the land and ensure data are stored and accessed within regulatory constraints, Encryption is applied to the data as permitted by country/jurisdiction.
Since public clouds are by definition a black box to the subscriber, potential cloud subscriber need to demonstrate regulatory compliance to the change, image, and incident management, as well as incident reporting for tenants and tenant-specific log and audit data.In addition, providers sometimes are required to support third-party audits, and their clients can be directed to support e-Discovery and forensic investigations when a breach is suspected.
People and Identity
Cloud environments usually support a large and diverse community of users. In addition, clouds introduce a new tier of privileged users: administrators working for the cloud provider. Privileged-user monitoring, including logging activities, becomes an important requirement.
How do you control passwords and access tokens in the cloud?
How do you federate identity in the cloud?
How can you prevent userids/passwords being passed and exposed in the cloud unnecessarily, increasing risk?
Data and Information
Typical concerns include the way in which data is stored and accessed, compliance and audit requirements, and business issues involving the cost of data breaches. All sensitive or regulated data needs to be properly segregated on the cloud storage infrastructure, including archived data. Increased control to the data is needed specially for privileged users administering cloud environment.
Encrypting and managing encryption keys of data in transit to the cloud or data at rest in the service provider's data center is critical to protecting data privacy and complying with compliance and regulatory mandates. The encryption of mobile media and the ability to securely share those encryption keys between the cloud service provider and consumer is an important and often overlooked need. It is critical that the data is encrypted and only the cloud provider and consumer have access to the encryption keys.
Application and Process
Typical application security requirements are carried over to the images that host those applications. In addition, cloud users demand support for image provenance and for licensing and usage control. Suspension and destruction of images must be performed carefully, ensuring that sensitive data contained in those images is not exposed.
Organizations need to ensure that the Web services they publish into the cloud are secure, compliant, and meet their business policies.
Network, Server and End point
In the shared cloud environment, subscriber need to ensure that all tenant domains are properly isolated and that no possibility exists for data or transactions to leak from one tenant domain into the next. To help achieve this, clients need the ability to configure trusted virtual domains or policy-based security zones. As data moves further from the client's control, they expect capabilities like Intrusion Detection and Prevention systems to be built into the environment.
Protecting the hypervisor which interacts and manages multiple environments in the cloud is very critical and important. The hypervisor being a potential target to gain access to more systems, and hosted images.
The cloud's infrastructure, including servers, routers, storage devices, power supplies, and other components that support operations, should be physically secure. Safeguards include the adequate control and monitoring of physical access using biometric access control measures and closed circuit television (CCTV) monitoring.
Further details can be extracted from IBM red book and white paper