Cloud computing security
Encyclopedia
Cloud computing security (sometimes referred to simply as "cloud security") is an evolving sub-domain of computer security
, network security
, and, more broadly, information security
. It refers to a broad set of policies, technologies, and controls deployed to protect data, applications, and the associated infrastructure of cloud computing
. Cloud security is not to be confused with security software offerings that are "cloud-based" (a.k.a. security-as-a-service). Many commercial software vendors have offerings such as cloud-based anti-virus or vulnerability management.
, Platform-, or Infrastructure-as-a-Service via the cloud) and security issues faced by their customers. In most cases, the provider must ensure that their infrastructure is secure and that their clients’ data and applications are protected while the customer must ensure that the provider has taken the proper security measures to protect their information.
(that it cannot be accessed by unauthorized users or simply lost) and that data privacy
is maintained, cloud providers attend to the following areas:
securely when “at rest” and it must be able to move securely from one location to another. Cloud providers have systems in place to prevent data leaks or access by third parties. Proper separation of duties should ensure that auditing and/or monitoring cannot be defeated, even by privileged users at the cloud provider.
or SSO
technology, or provide an identity management solution of their own.
measures
(application-level firewalls) be in place in the production environment.
and that only authorized users have access to data in its entirety. Moreover, digital identities and credentials must be protected as should any data that the provider collects or produces about customer activity in the cloud.
(HIPAA), the Sarbanes-Oxley Act
, among others. Many of these regulations require regular reporting and audit trails. Cloud providers must enable their customers to comply appropriately with these regulations.
and data recovery
plans in place to ensure that service can be maintained in case of a disaster or an emergency and that any data lost will be recovered. These plans are shared with and reviewed by their customers.
, and end-of-service (when data and applications are ultimately returned to the customer
requirements in the public sector
, where many agencies are required by law to retain and make available electronic records in a specific fashion. This may be determined by legislation, or law may require agencies to conform to the rules and practices set by a records-keeping agency. Public agencies using cloud computing and storage must take these concerns into account.
Computer security
Computer security is a branch of computer technology known as information security as applied to computers and networks. The objective of computer security includes protection of information and property from theft, corruption, or natural disaster, while allowing the information and property to...
, network security
Network security
In the field of networking, the area of network security consists of the provisions and policies adopted by the network administrator to prevent and monitor unauthorized access, misuse, modification, or denial of the computer network and network-accessible resources...
, and, more broadly, information security
Information security
Information security means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction....
. It refers to a broad set of policies, technologies, and controls deployed to protect data, applications, and the associated infrastructure of cloud computing
Cloud computing
Cloud computing is the delivery of computing as a service rather than a product, whereby shared resources, software, and information are provided to computers and other devices as a utility over a network ....
. Cloud security is not to be confused with security software offerings that are "cloud-based" (a.k.a. security-as-a-service). Many commercial software vendors have offerings such as cloud-based anti-virus or vulnerability management.
Security issues associated with the cloud
There are a number of security issues/concerns associated with cloud computing but these issues fall into two broad categories: Security issues faced by cloud providers (organizations providing Software-Saas
SAAS is an abbreviation for* Social Accountability Accreditation Services* Software as a service * Student Awards Agency for Scotland* Seattle Academy of Arts and Sciences* South Australian Ambulance Service...
, Platform-, or Infrastructure-as-a-Service via the cloud) and security issues faced by their customers. In most cases, the provider must ensure that their infrastructure is secure and that their clients’ data and applications are protected while the customer must ensure that the provider has taken the proper security measures to protect their information.
Dimensions of cloud security
While cloud security concerns can be grouped into any number of dimensions (Gartner names seven while the Cloud Security Alliance identifies thirteen areas of concern) these dimensions have been aggregated into three general areas: Security and Privacy, Compliance, and Legal or Contractual Issues.Security and privacy
In order to ensure that data is secureData security
Data security is the means of ensuring that data is kept safe from corruption and that access to it is suitably controlled. Thus data security helps to ensure privacy. It also helps in protecting personal data. Data security is part of the larger practice of Information security.- Disk Encryption...
(that it cannot be accessed by unauthorized users or simply lost) and that data privacy
Data privacy
Information privacy, or data privacy is the relationship between collection and dissemination of data, technology, the public expectation of privacy, and the legal and political issues surrounding them....
is maintained, cloud providers attend to the following areas:
Data protection
To be considered protected, data from one customer must be properly segregated from that of another; it must be storedData storage device
thumb|200px|right|A reel-to-reel tape recorder .The magnetic tape is a data storage medium. The recorder is data storage equipment using a portable medium to store the data....
securely when “at rest” and it must be able to move securely from one location to another. Cloud providers have systems in place to prevent data leaks or access by third parties. Proper separation of duties should ensure that auditing and/or monitoring cannot be defeated, even by privileged users at the cloud provider.
Identity management
Every enterprise will have its own identity management system to control access to information and computing resources. Cloud providers either integrate the customer’s identity management system into their own infrastructure, using federationFederation
A federation , also known as a federal state, is a type of sovereign state characterized by a union of partially self-governing states or regions united by a central government...
or SSO
SSO
SSO may refer to:*Statistical Society of Ottawa, the Ottawa Regional Association of the Statistical Society of Canada and the Ottawa Chapter of the American Statistical Association.*Sanitary sewer overflow...
technology, or provide an identity management solution of their own.
Physical and personnel security
Providers ensure that physical machines are adequately secure and that access to these machines as well as all relevant customer data is not only restricted but that access is documented.Availability
Cloud providers assure customers that they will have regular and predictable access to their data and applications.Application security
Cloud providers ensure that applications available as a service via the cloud are secure by implementing testing and acceptance procedures for outsourced or packaged application code. It also requires application securityApplication security
Application security encompasses measures taken throughout the application's life-cycle to prevent exceptions in the security policy of an application or the underlying system through flaws in the design, development, deployment, upgrade, or maintenance of the application.Applications only...
measures
(application-level firewalls) be in place in the production environment.
Privacy
Finally, providers ensure that all critical data (credit card numbers, for example) are maskedData masking
Data masking is the process of obscuring specific data elements within data stores. It ensures that sensitive data is replaced with realistic but not real data. The goal is that sensitive customer information is not available outside of the authorized environment...
and that only authorized users have access to data in its entirety. Moreover, digital identities and credentials must be protected as should any data that the provider collects or produces about customer activity in the cloud.
Compliance
Numerous regulations pertain to the storage and use of data, including Payment Card Industry Data Security Standard (PCI DSS), the Health Insurance Portability and Accountability ActHealth Insurance Portability and Accountability Act
The Health Insurance Portability and Accountability Act of 1996 was enacted by the U.S. Congress and signed by President Bill Clinton in 1996. It was originally sponsored by Sen. Edward Kennedy and Sen. Nancy Kassebaum . Title I of HIPAA protects health insurance coverage for workers and their...
(HIPAA), the Sarbanes-Oxley Act
Sarbanes-Oxley Act
The Sarbanes–Oxley Act of 2002 , also known as the 'Public Company Accounting Reform and Investor Protection Act' and 'Corporate and Auditing Accountability and Responsibility Act' and commonly called Sarbanes–Oxley, Sarbox or SOX, is a United States federal law enacted on July 30, 2002, which...
, among others. Many of these regulations require regular reporting and audit trails. Cloud providers must enable their customers to comply appropriately with these regulations.
Business continuity and data recovery
Cloud providers have business continuityBusiness continuity planning
Business continuity planning “identifies [an] organization's exposure to internal and external threats and synthesizes hard and soft assets to provide effective prevention and recovery for the organization, whilst maintaining competitive advantage and value system integrity”. It is also called...
and data recovery
Data recovery
Data recovery is the process of salvaging data from damaged, failed, corrupted, or inaccessible secondary storage media when it cannot be accessed normally. Often the data are being salvaged from storage media such as internal or external hard disk drives, solid-state drives , USB flash drive,...
plans in place to ensure that service can be maintained in case of a disaster or an emergency and that any data lost will be recovered. These plans are shared with and reviewed by their customers.
Logs and audit trails
In addition to producing logs and audit trails, cloud providers work with their customers to ensure that these logs and audit trails are properly secured, maintained for as long as the customer requires, and are accessible for the purposes of forensic investigation (e.g., eDiscovery).Unique compliance requirements
In addition to the requirements to which customers are subject, the data centers maintained by cloud providers may also be subject to compliance requirements.Legal and contractual issues
Aside from the security and compliance issues enumerated above, cloud providers and their customers will negotiate terms around liability (stipulating how incidents involving data loss or compromise will be resolved, for example), intellectual propertyIntellectual property
Intellectual property is a term referring to a number of distinct types of creations of the mind for which a set of exclusive rights are recognized—and the corresponding fields of law...
, and end-of-service (when data and applications are ultimately returned to the customer
Public records
Legal issues may also include records-keepingRecords management
Records management, or RM, is the practice of maintaining the records of an organization from the time they are created up to their eventual disposal...
requirements in the public sector
Public sector
The public sector, sometimes referred to as the state sector, is a part of the state that deals with either the production, delivery and allocation of goods and services by and for the government or its citizens, whether national, regional or local/municipal.Examples of public sector activity range...
, where many agencies are required by law to retain and make available electronic records in a specific fashion. This may be determined by legislation, or law may require agencies to conform to the rules and practices set by a records-keeping agency. Public agencies using cloud computing and storage must take these concerns into account.