Cloud Computing Security

Question:

What are your concerns about cloud computing security?

Answer:

I am not concerned. What we expect from any solution provider is no more different than what we expect from a cloud computing service/infrastructure provider. Can they deliver it? Well,, I do not think they (cloud computing providers)  are worse than incumbent corporate IT security teams in charge today. At the end of the day , cloud computing is going through a similar security management path  that private networks had followed for years (on a different scale :)

 

In the last month, I have seen several posts on several platforms regarding “Cloud Computing Security”. Without getting into the context so many experts delivered whitepapers, articles posts. Here are the concerns in simple English:

1-     Who reaches to my data? Any privacy?

2-     Where is my data?

3-     Can they control outbreaks in a distributed environment?

4-     Can I get through compliance?

5-     Can I or can my peers audit security?

 

On the western front security requirements are same. Cloud computing does not change the requirements of information security, so to simplify the concept, we may claim that the what we expect from cloud computing provider is no more different than what we expect from corporate IT.

 

Who reaches your data in the cloud? – Well that is a question that you must ask before signing the contract, technically it is not worse than what your TelCo providing MPLS; did you ever wonder who taps your data over the WAN? Make sure that the contract terms are in favor of PII and relevant compliance requirements that you are subject to. And do not be contained with sales material from Cloud Computing provider, audit it, (I actually know ways to bypass queries, so hire a good auditor who can accredit cloud computing provider’s claims – e.g. they can say access to data is subject to need to know, but it is usually not the case)

 

Where is my data? – Your data is factually in the cloud, you cannot know; it can be everywhere, but as long as it is secure, your BCP/DR plans are in place, and you are not breaking the law by sending data overseas you should be fine, why do you care, do you see your money when it is in the bank, you worry because it is not in your home safe? (I think this is a bad allegory for today:) Again, audit the claims, put it in the contract.

 

Can they control the outbreaks? Is it a controlled environment? – I can make a bold claim that the cloud computing services have a higher availability than corporate IT services. They are usually redundant in gigantic terms, and they do hire brilliant engineers in bulk (see the providers, google, microsoft, amazon, salesforce ? ).. Things go wrong everywhere, so make sure that you always have an isolated plan b in the cloud, and again put it in the contract and test it, make sure BCP/DR works

 

Can I get through compliance? -  Easily, if it is included in the contract , passing compliance will be easier than ever, my cloud computing provider goes through PCI, HIPAA, SoX, ISO 27001 et al, they pass , I pass, what a wonderful feeling.. Well, if your provider does not offer compliance services, then ask for it, at the end of the day you may not be able to dispatch auditors to 500 data centers (big 4 dream)

 

Can we/peers audit it? – You must, the cloud computing provider must open like an encryption algorithm, remember the old basics security thorugh obscurity is no security at all..Again put it in the contract, do the sampling right (you cannot audit it all, be a pramatist) and audit it.

 

If you have a specific question, I can write the specifics and play the devils advocate,

Regards,

- yinal ozkan