A lot of business executives are familiar with the benefits of cloud computing that are been offered over a traditional in house IT departments. But as the popularity of this new alternative expands, questions concerning to its security are being raised. Is cloud computing as safe as having your data network in house?
Data in Cloud Computing is Centralized
There is nothing like traditional networks which leave documents and other information data spread casually between employee work stations, data inside the cloud is centralized. Since cloud computing providers are typically held to too much higher standards than in house IT security teams, this normally means that the data is safer than on your own network. This data is accessed only through web browsers which can be set to clear their cache each and every time they are closed.
Take this in comparison with delivering an email, for example: The email with attachment is distributed to n number of employees who are expected to utilize the information properly then discard or resend it. In the case of cloud computing – no data would be sent to the staff members. They would be able to log on to one central location, view the data, make any type of changes they needed cooperatively, then log out – all without actually downloading the information.
Cloud Computing Security Concerns are Logical, but not Actual
So far, there has been no major violations of cloud security. Compare this with private networks, in which there are numerous stories every week of breached data or stolen client machines.
A lots of people are concerned about the security in a cloud computing setup. People are used to thinking that something in their control is more secure than if it is out in the open. Even though that seems like common sense, it simply isn’t true. All connected networks are ‘out in the open’. Cloud computing simply gives fewer chances to access that data by its very design.
Ideas to Improve Cloud Computing Security
As we all know that cloud computing is pretty much new if compared to the traditional in house IT departments, there does tend to be a shortage of standardization on security problems. A lots of well known companies like Hewlett Packard, IBM, ESDS eNlight Cloud, and others are initiating to contribute in security programs.
By its very design and within the use of normal security measures such as encryption, cloud computing security is really not a barrier to enter any longer. In most trials it proves to be just as secure if not more so than normal in house data networks. As time moves forward, the many benefits in-built to cloud computing will ensure that it remains the focus of the IT security industry.
Even though the self-hosted infrastructure seem to be free from cloud-hosted infrastructure threats, but meeting the security expectations of those who depend on it can be prohibitively expensive. Usually, it costs a lot to secure a hosting infrastructure with respect to the amount of machines that need to be secured.
Some of the fixed costs consists:
Operators of the cloud infrastructure can easily liquidate these fixed costs over a much bigger infrastructure then that of self-hosting organizations. Cloud hosting companies staff can specialize more than in their equivalent administering self hosted infrastructure. It simply allows them to create expertise that helps to increase the productivity.
The managed security services already enable the self-hosted infrastructure owners to gain some of these scale benefits. These solutions range from solution in a box and these boxes offers features such as firewalls, backup, spam filtering to full service security consulting and the system monitoring.
Unfortunately, these managed security services can expose customers to many of the same threats that a cloud hosting providers customers face. For example, a spam email filtering box will have complete access to the customers infrastructure and all of the incoming email, as is open to secret search.
Also, security features built within the infrastructure can be much cheaper to associate into an application, that those that needs new elements to be installed or that having an API key that may not be feasible to customize to the infrastructure.
Lets have a look at some important security features that could be built into cloud hosting as well as some them that already exists in the cPanel:
Clients can easily afford most of these features if they have to cover only their share of the marginal costs. Another great advantage of creating security features into the cloud infrastructure is to render the new attacks data from multiple tenants, so that the monitoring system gets more alert to prevent other customers from similar attacks.
Cloud computing is an example of a virtualized system, ultimately, it is a natural evolution for data centers that use automated systems management, workload balancing, and virtualization technologies.
Cloud Services offers a number of benefits that your company can take advantage of :
The cloud promises to reduce the cost, delivery and maintenance of computational power, allowing companies to buy only the necessary computing services instead of investing in expensive and complex infrastructure.
Low-cost Computers To The User: You do not need a computer to run next generation applications that are hosted in the cloud. As the application runs on the server, not the user’s computer, it does not need many resources on the computers. Thus, we can get lower cost computers, with ability to basically perform the operating system and web browser.
Lower Costs Of IT Infrastructure: The investment that would be made in purchasing ever more powerful servers, may be directed to the hiring of cloud servers and those adequate resources can be easily resized as the business need. It is possible to hire servers that overcome a spike in usage and dismiss them when no longer needed.
Reduce The Cost Of Software: It is no longer necessary to purchase the software, since cloud computing companies charge an amount to provide software as a service. And yet today we have companies that are offering their web based applications for free, which makes it much more interesting than paying the high values of software licensing traditionally charged.
Decreasing Hardware Costs: The cloud providers acquire servers, network equipment, internet connection and many other equipment in large quantities, thus able to negotiate better prices with suppliers and with a much shorter period than most companies.
Lower Investment: When you purchase a server in the cloud, you make a contract in the form of service, like a lease, paying a small amount per month, according to what was contracted. At the end of the contract, you recover your data and return it to the server provider hired. So in addition to not having to face a great investment at the beginning of the service, when the contract ends you are not left with an obsolete server kept in any room of your company.
If you are anticipating an increase in your computing needs (or even if you are surprised by a demand), cloud computing can help you manage this demand.
The cloud allows users to suit their specific needs. Cloud computing is infinitely scalable and enables IT infrastructures to be expanded efficiently without the need to make large capital investments.
Increased Computational Power: When a cloud is contracted, there is no limitation on the computing power of a physical machine. With the new computing model, we can perform tasks that require high performance computing by utilizing the power of thousands of servers in the cloud. In other words, you can perform more tasks in the cloud than you can do on the server.
Unlimited Storage Capacity: Likewise, the cloud offers virtually unlimited storage capacity. Thus, it is not necessary to worry if the disk space is running low. When this does occur, simply allocate more disk to the cloud server almost instantly and continue with your work normally.
Cloud computing relieves the burden on already overburdened IT resources. By changing the non-critical data to the cloud, your IT department is free to work in business-related tasks. You also do not need to add more people and specialized training to handle these tasks.
Moreover, as network outages are a nightmare for IT staff, this burden is discharged.
Less Maintenance Problems: In the case of maintenance costs, cloud computing dramatically reduces maintenance costs of hardware and software. With the need for fewer physical servers in the company, maintenance costs are reduced immediately and as cloud applications are in the cloud, there is no software on computers in the organization to maintain.
Software Updates: Another advantage is that, we no longer need to use older software or pay high fees to upgrade them to a newer version. When an application is web-based, updates happen automatically and are available for the next time you use it in the cloud. In the case of cloud servers, the cost of updating software will certainly be much lower than buying the new version.
Best Performance: With regard to performance, the computer must run fewer applications to provide what a user needs. Thus, with fewer programs allocating memory space, not using hard drive space and not using CPU cycles, you may notice a significant improvement of performance of your computer while performing your daily tasks.
The cloud promises universal access to high computing power and storage resources for anyone with a device having access to the internet network.
For example, you do not need to take your documents with you. Instead, they stay in the cloud, where you can access them from anywhere that has an internet connection. All your documents are instantly available. No matter where you are.
Unlike traditional computing, where a hard disk crash can destroy all your data, a computer with problems in the cloud does not affect the storage of your data. This is because, data in the cloud is automatically duplicated, so that nothing is lost. This also means that if your computer crashes while working, all your data will still be in the cloud. In a world where only a few users make backup of data regularly, cloud computing can keep data safe.
For many users, collaborative work is one of the most important advantages of cloud computing. Several people may have access to documents in a project simultaneously. As the document is edited, the changes appear automatically on the screen of other users who are using the document.
In the next article I will discuss the disadvantages, limitations and potential problems when using the private cloud.
As one of the most promising ways to optimize IT infrastructure, cloud computing is increasingly considered. There are many advantages of Cloud Computing technology, but the question of the reliability of data protection by using the concept of cloud computing is becoming a major deterrent.
To ensure information security, the learning of new techniques and technologies that can record incidents, develop new standards of information security. In particular, it becomes difficult to distinguish who is responsible for what, as cloud computing is an infrastructure significantly different from the traditional model and can be dynamically changed. It should be noted that there is a psychological aspect of this problem. IT outsourcing has not yet received such a development in India as in the West, and many executives are skeptical about the idea of transfer of IT infrastructure services to an outside expert.
As practice shows, the use of cloud computing can even increase the level of data security. One of the reasons – it is a constant concern about the high level of security on the part of companies that provide access to the services of cloud computing. Aware of the concerns of their clients, they have to invest significant resources in building and maintaining a reliable security system. Some providers of IT services in the field of Cloud Computing makes clear emphasis in its marketing of the company to guarantee a high level of security.
The following conditions must be observed to ensure reliable security in cloud services:
1. Cryptographic methods for data safety should be used. All the data that the client is running within the service should be securely encrypted.
2. The very process of transferring information from the client and the server must also be safe, it is necessary to use a secure data transfer protocols to access the server.
Experts warn that there is still insufficient attention paid to security when it comes to the newfangled, more and more an emerging trend of “IT - Cloud Computing”. What are the main reasons for the choice made in favor of the clouds? The answer is obvious: in the first place, it is economical and easy to use.
In a broad sense, “cloud solutions” is outsourcing data previously placed on personal computers. If you use e-mail services, such as Gmail, or if you have an account with social networking sites, then you’re already using cloud computing, since your data is stored and processed on remote dedicated servers. The main advantage of such an organization working with data is their availability in any place where there is Internet access.
In terms of corporate consumer cloud technologies enable growing businesses to reduce IT costs by reducing the budgets for the purchase of hardware and software necessary for processing and storing information.
Private users, for example, can upload pictures or documents to the cloud, using services such as Flickr or Google Docs, and access them from home, internet cafe, or, for example, with a variety of portable devices.
“Cloud” mechanisms and principles of treatment, storage, and access to it, of course, are very comfortable and profitable. However, according to experts, the main problem is that the user has no idea of who, where and how to manage the infrastructure, ensuring the safety of information. The user does not know whether in fact, data is protected or not. He has no confidence in the fact that his information will not disappear or will not be disclosed at some point.
Many studies show that despite the increasing popularity of outsourcing of IT resources, half of the heads of organizations are extremely concerned about the issues of information security and what are the potential threats to virtualized computing environments that can create the problem, whose solution requires an integrated approach.
Having its own IT infrastructure, companies take their own security measures for protection, for example, using tools such as network filters and antivirus software. If the data is stored and processed in the external environment, the security issues are beyond the control of the owners of the data.
Currently there are no official regulations that would regulate the safety issues for suppliers of cloud solutions and services, through which the user can be completely confident that the security of its data is provided properly.
Virtualization technologies not only reduce costs and save energy consumption, but also generate a lot of questions for data protection. In particular, the concentration of cloud technologies require a huge amount of information in a single space, which, in turn, can bring computer criminals of all shades and degrees. For example, in January of this year, the functioning of email service by Google was in jeopardy because of hacker attack.
With the development and popularization of cloud technologies, it can be expected that a new generation of malicious software will be developed that can serve as a significant reason to compromise themselves, and cloud services providers offering services.
Finally, of particular concern in the development of cloud technologies is the possibility of interference with privacy of service users. For example, various governmental and other entities are much easier to gain access to user data stored in the cloud, rather than the data that the user stores locally. Such examples are already there. For example, many lenders are using social networks as a tool to find debtors.
While in recent months, access to applications is offered in pay per use model, being hosted on shared data centers (which is known as cloud hosting services), (arguments) continue flying over the issue of security as a recurring objection to the general expansion of the use of the cloud.
Without wishing to deny the existence of risks, try to propose the following hypothesis: will have to set optimal levels of security that do not impede or complicate access and use of software applications and services.
There is a maximum security level, which is credited with 100% confidence that there will be no risks: always keep your computer off.
Most studies conclude the existence of quasi-apocalyptic risks that are computer security companies or service providers that impact on their levels of safety and business case.
Those who seem to have the most spyware code distributed around the world are governments, who in turn create the laws for the security checkpoint.
The group of non-internet users is precisely the one that seems to have security issues.
The setting of restrictions on access to internet sites has meant that, in most large organizations, employees have not been able to access critical information necessary for their work when they are needed.
The use of antivirus, antispam, … and other security services consume much resources and slow down the PC so that large numbers of personnel management and maintenance of networks and teams in organizations chose to uninstall them and have a copy of their data and their applications, which are immediately restored on regular basis.
While centers reported that high level of security has localized malware code, which is not on specific devices, internal network or don’t know what type of malware it is, so presumably it exists, but their relation to any risk of physical security is virtually nonexistent.
The greatest risk for loss of information lies in overheating of the machine where it is stored. I would not be mistaken if I say that the control measures and physical security of any data center operating internet is much higher than any company that maintains the machines on their premises.
The above statement is also valid for the control and limitation of physical access to machines.
According to studies, revenue in the area of “cloud computing” technologies in 2013 will amount to 150 billion dollars. Many businesses have already implemented the transfer of corporate data in the cloud, many more companies are going to do it soon, but a lot of people are worried about the security of data stored in the cloud. Of course, no one can guarantee absolute security in any computing environment, however, the transition to “cloud” technology can take certain measures to help in reducing the risk of data loss to a minimum. For example, when choosing cloud providers, it is important to look not only at firms’ pricing power, but also implemented its security protocols. It is important to understand that the transition to “cloud” technologies may be safer than the standard internal solutions as the industry has invested billions of dollars in information security.
In public, the cloud system end-user has a high level of automation. Customers can place their applications in the cloud and manage all the user settings of your services. Public “cloud” has no such visibility as a private cloud has. If you are using a public “clouds” you give the placement of computing resources in to control. In particular the “cloud” resources are used by fewer people and they have a higher level of management. Depending on these differences to safety management in these environments, specific practices.
The first and most important step is the installation procedure of authorization. For the selection of the password, it requires randomization procedure and the need for strict adherence to protocols that create passwords for all staff. It’s amazing, but many people still use words like “password” or a combination of digits “12345″ as a password to access key data sources. Application of the standard LDAP and administrator credentials you can really protect your information.
Having dealt with the internal procedures of authorization, you should pay close attention to outsourcing partners. Whether they are holding your security protocols and perform background checks, whether they are complying with any other measures that protect and control the transmission of information. Information sharing is crucial, especially in the case of public computing environments. Providers must use the best encryption tools to keep your information safe and in usable condition. They must also provide administration services to the highest level, including installing firewalls and advanced detection of network attacks.
Legal aspects of data storage in the cloud hosting
There are many legal problems connected with the storage of information, especially data identifying a person. Despite the fact that information is in the cloud, it is still somewhere to be placed and there are rules that govern its movement. In some countries, such as India, imposed very strict requirements for safety information, which limit the storage and movement of information. Choose a provider who is knowledgeable about these rules, and could, if necessary, too quickly move your information to comply with these requirements. According to a study, more than forty states have official regulations governing the methods of protection of personal data (PII). Should give preference to well-known providers of cloud services, which have systemic means of controlling the movement of PII under its “cloud” network.
Many cloud providers enter the market, not having sufficient experience in the field of human resources policies and technologies. That is why in order to obtain a comprehensive understanding of the work of a company, should ask more than a dozen issues. One of the most important – the question of who will have the right to access and transfer your information. Whether they will notify you about any breach of security, or just hide them.
Does this outsourcing company allow you to optionally create an emergency data center for disaster?
The contract may provide higher levels of encryption standards for data storage. In addition to this “cloud” provider should be familiar with the work of any other suitable provider of SaaS and its technologies. Your business depends on many different outsourcing companies, one way or another address with your information, so it is important that the information management system have no weak links.
Outsourcing companies need to adhere to certain standards, assigning passwords that reduce the likelihood of hacking. In the case of multiplayer “cloud” above average risk, and therefore cloud providers must show that they use management tools that provide separation to reduce the risks.
Achieving a high level of safety in public and private “clouds” requires confidentiality requirements and user access. New solutions for information storage and management come to market fairly quickly, and as these tools are introduced, users will get additional protection for their information.
Each time the subject arises in a Cloud Computing meeting, the issue of security comes first. So it was natural that I return to discuss this topic. In this second part, I will address the external providers of infrastructure to IaaS cloud providers. Following the first part , in which we talked a bit about the practice of security in the clouds and the future of this issue.
Analyzing Providers and Security Levels
For IaaS providers, the first reminder is that they are not equal. That is, each provider, despite the apparent similarities of the security features when looking at the matter superficially, offering very different levels of security when we delve into the analysis.
It’s inevitable. The experience, training and financial power behind the corporate DNA of each provider will translate into different safety management processes.
A hosting provider aimed at individuals and small businesses, who acted as cloud providers, lacks the experience of another company that is dedicated from years to outsource services to companies outsourcing extremely demanding on safety, such as banks and operators of credit cards.
Some examples: What level of physical security control and management offered by the cloud computing providers in their data centers?
Are there appropriate technologies to mitigate the effects of DDoS (Distributed Denial of Service)? What are the resources offered by the provider for intrusion detection? What resources are available to ensure isolation of virtual machines from different clients that share the same physical server?
Another aspect that must be analyzed in external providers is the issue of IAM (Identity and Access Management). I suggest you to validate how employees access the provider’s own virtual machine.
Limits and Authorizations For Access To Data
Employees of the provider have access to operational activities such as debug or update patches, is such access audited and traceable? In the case of access by customers, the ISP has procedures to ensure that only authorized users access virtual machines such as clients.
In addition, commercial speech may induce some additional confusion. Many providers argue that by having a level of auditing SAS 70 Type II will be absolutely safe. Not true, because the SAS 70 does not review the effectiveness of processes and security controls, but only checks if such procedures exist and are documented.
Another confusion arises when looking towards the provider requirements. Often, the provider meets only part of the requirements and it can happen that such shares are not up to the level of compliance of your company.
Thus, not enough to know that the provider is compliance with SOX or PCI DSS (Payment Card Industry Data Security Standard). You need to check carefully whether the level of compliance is appropriate to the needs.
Infrastructure and Responsibility for The Cloud Providers
In the end, although the cloud providers processes and controls adequate security, your company is ultimately responsible for security. In the case of (IaaS) cloud, do not forget we’re talking about virtual servers, and logical access control to applications and data is the responsibility of the users of the cloud and not the provider.
What does all this mean? Simple. Responsibility for the resilience of the cloud is shared by both the provider and its customers. The provider has to ensure the resiliency of data centers and servers. The applications are the responsibility of the company.
After evaluating all these procedures, the final message is to carefully evaluate the cloud providers, filter and analyze commercial speech in detail the processes and security controls offered.
In lectures and meetings on the topic of Cloud that always stands out among the debates is safety. Indeed, the question on security and fear of novelty is common and has always happened.
When in the early 90s of last century, the subject was the adoption of client-server model, the questioning was similar. The same happened when we began to speak in electronic commerce and still there is great fear of letting the use of credit cards over the Internet.
Today, the safety theme also permeates the discussion of major release or not the use of smartphones and social media in business. Anyway, it’s a natural discussion in my opinion.
Later, as the adoption of cloud spread, ie, after overcoming these concerns about the safety issues that will guide the events and discussions about cloud will be integrated (how to integrate different applications in cloud computing and with applications that are not cloud) and later still, we will have discussions on e-Governance. But as today’s most prominent theme is safety, we’ll explore it a bit more in this article.
Processes and changes
Methods and procedures for security change every time the computer model changes. It was so when the client-server and many of the methods were adopted for centralized environments have become useless.
This happened when the Internet became an integral part of business processes and methods adopted for internal security have proved inadequate and had to be modified. With the adoption of cloud, history is repeating itself. We have to rethink many of the security processes currently used.
However, when talking about security in cloud, we have to separate the public and private clouds. In addition, policies and hence the methods and security procedures adopted differ from company to company, as the risk tolerance is different in different companies and industries.
In private clouds, security policies are already adopted by the company, and already updated to the new model. In public clouds, the security policy is subject to the methods and processes adopted by the cloud provider.
Certifications, costs and technologies
The security concerns are paramount to the success of any provider of public clouds and they, at least those who have sufficient intellectual and financial capital, implement processes, methods and technologies to strengthen security.
Moreover, many seek to pass through external audits as SAS 70 and official certifications as ISO 27001 . In the U.S. and Europe, there is also the quest for compliance with FISMA (Federal Information Security Management Act) for projects with the U.S. government, Payment Card Industry Data Security Standards for transactions involving credit cards and European Data Privacy Directives for operations with European companies .
On the other hand, less tolerant of risks companies choose to adopt private clouds for their critical systems, using only public clouds for applications that do not involve risks to business.
Indeed the adoption of cloud happens when the perceived value by the new model exceeds the perception of their risk. Cloud should be adopted not only by reducing costs, but the speed and flexibility that allows the company to innovate and create new products and services supported by IT.
Adoption and review processes and methods
Adopting cloud means reviewing its processes, methods and security technologies. For clarity, we divide the security issue in different aspects such as:
The analysis of these points is going to set the pace of adoption of cloud and the cloud will be private, public or hybrid. For example, in the inquiry audit, SAS 70 procedures were not fully prepared for cloud and is now working in 16 SASE as a replacement.
As the concept of cloud evolves, new processes and security technologies will emerge and we will see a virtuous circle. These new technologies will bring more confidence to the use of cloud, which will increase its spread and thus more spread, there will be more new and innovative security technologies, by rotating the circle.
Changes in market
As a sign of maturity of the market, we started seeing the first efforts in setting safety standards. These patterns allow classification consistently on the security solutions offered by both private clouds, and especially the public cloud providers.