Seven Areas of Concern With Cloud Security

Thursday, August 18, 2011

Brent Huston

E313765e3bec84b2852c1c758f7244b6

One of the government’s major initiatives is to promote the efficient use of information technology, including the federal use of cloud computing.

So good, bad or indifferent, the government is now moving into the wild, world of cloud computing – despite the fact that it is a new way of doing business that still has many unaddressed problems with security and the general form that it is going to take.

At the Cloud Computing Summit in April 29 2009, it was announced that the government is going to use cloud for email, portals, remote hosting and other apps that will grow in complexity as they learn about security in the cloud. They are going to use a tiered approach to cloud computing.

All businesses, both large and small, are now investing resources in cloud computing. Here are seven problematic areas for which solutions need to be found:

  • Vendor lock-in – Most service providers use proprietary software, so an app built for one cloud cannot be ported to another. Once people are locked into the infrastructure, what is to keep providers from upping the price?
  • Lack of standards – National Institute of Standards and Technology (NIST) is getting involved and is still in development. This feeds the vendor lock-in problem since every provider uses a proprietary set of access protocols and programming interfaces for their cloud services. Think of the effect on security!
  • Security and compliance – Limited security offerings for data at rest and in motion have not agreed on compliance methods for provider certification. (i.e., FISMA) or common criteria. Data must be protected while at rest, while in motion, while being processed and while awaiting or during disposal.
  • Trust – Cloud providers offer limited visibility of their methods, which limits the opportunity to build trust. Complete transparency is needed, especially for government.
  • Service Level Agreements – Enterprise class SLAs will be needed (99.99% availability). How is the data encrypted? What level of account access is present and how is access controlled?
  • Personnel – Many of these companies span the globe – how can we trust sensitive data to those in other countries? There are legal concerns such as a limited ability to audit or prosecute.
  • Integration – Much work is needed on integrating the cloud provider’s services with enterprise services and make them work together.

Opportunities abound for those who desire to guide cloud computing. Those concerned with keeping cloud computing an open system drafted an Open Cloud Manifesto, asking that a straightforward conversation needs to occur in order to avoid potential pitfalls.

Keep alert as the standards develop and contribute, if possible.

Cross-posted from State of Security

Help Support Infosec Island by Tweeting and Stumbling our Articles - Thanks!

 

Possibly Related Articles:
6582
Cloud Security
Service Provider
Compliance Cloud Security Vendor Management Managed Services Trust Standards Service Level Agreement
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.