Debating Cloud Computing Security | Part II

Each time the subject arises in a Cloud Computing meeting, the issue of security comes first. So it was natural that I return to discuss this topic. In this second part, I will address the external providers of infrastructure to IaaS cloud providers. Following the first part , in which we talked a bit about the practice of security in the clouds and the future of this issue.

Analyzing Providers and Security Levels

For IaaS providers, the first reminder is that they are not equal. That is, each provider, despite the apparent similarities of the security features when looking at the matter superficially, offering very different levels of security when we delve into the analysis.

It’s inevitable. The experience, training and financial power behind the corporate DNA of each provider will translate into different safety management processes.

A hosting provider aimed at individuals and small businesses, who acted as cloud providers, lacks the experience of another company that is dedicated from years to outsource services to companies outsourcing extremely demanding on safety, such as banks and operators of credit cards.

Some examples: What level of physical security control and management offered by the cloud computing providers in their data centers?

Are there appropriate technologies to mitigate the effects of DDoS (Distributed Denial of Service)? What are the resources offered by the provider for intrusion detection? What resources are available to ensure isolation of virtual machines from different clients that share the same physical server?

Another aspect that must be analyzed in external providers is the issue of IAM (Identity and Access Management). I suggest you to validate how employees access the provider’s own virtual machine.

Limits and Authorizations For Access To Data

Employees of the provider have access to operational activities such as debug or update patches, is such access audited and traceable? In the case of access by customers, the ISP has procedures to ensure that only authorized users access virtual machines such as clients.

In addition, commercial speech may induce some additional confusion. Many providers argue that by having a level of auditing SAS 70 Type II will be absolutely safe. Not true, because the SAS 70 does not review the effectiveness of processes and security controls, but only checks if such procedures exist and are documented.

Another confusion arises when looking towards the provider requirements. Often, the provider meets only part of the requirements and it can happen that such shares are not up to the level of compliance of your company.

Thus, not enough to know that the provider is compliance with SOX or PCI DSS (Payment Card Industry Data Security Standard). You need to check carefully whether the level of compliance is appropriate to the needs.

Infrastructure and Responsibility for The Cloud Providers

In the end, although the cloud providers processes and controls adequate security, your company is ultimately responsible for security. In the case of (IaaS) cloud, do not forget we’re talking about virtual servers, and logical access control to applications and data is the responsibility of the users of the cloud and not the provider.

What does all this mean? Simple. Responsibility for the resilience of the cloud is shared by both the provider and its customers. The provider has to ensure the resiliency of data centers and servers. The applications are the responsibility of the company.

After evaluating all these procedures, the final message is to carefully evaluate the cloud providers, filter and analyze commercial speech in detail the processes and security controls offered.


Leave a Reply

Follow by Email