By Rob Chee, Force 3 Security Team Lead, CCIE 8188 (R&S and Security)
Interest around cloud computing has been growing at a rapid rate, as evidenced by recent articles published in various trade magazines, including, Information Week, Network World, and InfoWorld. These articles, along with my personal experience, show that many companies, government agencies, and educational institutions are moving toward the cloud for services.
For small companies, agencies and educational institutions, Software as a Service (SaaS) makes a lot of sense from a management perspective. With SaaS, much of the burden of supporting the hardware infrastructure and software updates is removed. For example, they can use a mail application like Gmail for Business to service their electronic mail. Doing this removes a lot of the hardware and software maintenance weight off of their shoulders and onto the SaaS vendor. No longer are they burdened with maintaining a server, the mail application, dealing with upgrades, and integrating new features.
But before these options become a broader reality, implementing cloud security is the challenge that must be addressed. Cloud computing environments must meet compliance requirements, secure data in transit and at rest, have a proven backup and restore methodology, and have a scalable method of authenticating users to the environment. This is important in public, hybrid, and private clouds, with private clouds offering companies the most control over these requirements because the infrastructure is fully controlled by the company. On the flipside, public and hybrid clouds require a “trust but verify” approach. The cloud provider must not only be trusted to provide the level of security advertised, but its security needs to be verified through periodic reports and independent third party validations.
It is exciting to see that the groundwork is being laid for a secured cloud computing environment. Industry and government officials have seen the importance of securing the cloud and are forming advisory groups to tackle security challenges in a cloud environment and provide on-going guidance to the entire internet community. This is valuable because the cloud computing landscape is extremely dynamic and will be changing very quickly over the coming years. The National Institute of Standards and Technology (NIST) has created a webpage on cloud computing. The Cloud Security Alliance (CSA) has also created a webpage with guidance for securing the cloud.
The business value of cloud computing – reducing costs and enabling flexible growth and manageability – makes cloud computing an option that will only grow in the future. The exciting challenge is securing the cloud so that the business value continues to grow securely.
NIST Cloud Computing Webpage
NIST Cloud Computing Wiki
NIST DRAFT Guidelines on Security and Privacy in Public Cloud Computing
Cloud Security Alliance
OpenCrowd Cloud Taxonomy
Jericho Forum with insight by CISOs on advancing secure business
ENISA Cloud Computing Risk Assessment Paper