Cloud Computing is becoming more and more the buzzword of every conference, meeting and article. Yet it is still in it's inception, and there are multitude of issues and problems. Cloud services are springing up like mushrooms after rain, and all the big players want a piece of the pie.
Dark Reading discusses Quelling 7 Cloud Computing Fears in which it touches the issue of trust and security. The author recommends that the cloud computing providers be proactive in gaining the trust of their users and potential users.
How do we decide when we trust the cloud?
Here are the mechanisms by which we can approach the level of trust that we have in our infrastructure for the cloud. But bear in mind, that each approach can have it's own pitfall!
- Encryption - Most readers will immediately start to think about encryption. Yes, it is a good idea, but is it enough? In encryption, regardless of the algorithm used, you are always dependent on the actual implementation of the algorithm. If the implementation is flawed, there can be back doors into your data. And you can't control or check the implementation - it's in the cloud
- Certification to Security Standards - A logical industry choice - if you are certified to a security standard, you are all good and well. But tread very lightly and be very careful about this: most security standards are quite flexible - you can choose to certify only a subset of your operations. So a security certificate of the data transfer subsystem won't do you much good when you are using the cloud for storing your customer database - the data storage and processing subsystem may not even be up to the security level of your home PC!
- Compensating Penalties (Contractual and via Litigation) - You can try to define penalties for breach of security within the service contract. But the cloud provider will limit such penalties to a limit which may be far below what you estimate to be your financial impact, and simply refuse to offer the service if you insist on full penalties. And unless you have an army of international lawyers on your payroll, don't even try to go into litigation - you'll end up loosing even more money in the trial.
- Insurance - Transferring the financial impact of the failure can be an elegant solution. But the insurance company will start asking the same questions about trusting the cloud provider and can quite easily deliver a significant premium charge on your insurance.
There is no magic wand that will make the users suddenly increase their trust in the cloud computing services. But agreeing on a common standard for what is required to be met in terms of Confidentiality and Integrity is a step in the right direction.
We recommend that the minimal requirement should be:
- Always insist on the cloud provider having a valid Security Standard Certificate which covers the entire scope of services that you plan on using.
- Contractual penalties should be in place for everything that can be quantified. This means that you'll even need to quantify loss of every byte of data.
- If possible based on the cloud computing service that you use, encryption should be implemented for the data stored/processed in the cloud.
Talkback and comments are most welcome
Cloud Computing - Premature murder of the datacenter
Datacenter Physical Security Blueprint