Cloud control

Security tops users’ concerns when it comes to cloud computing. Nick Coleman outlines the methods for making systems secure

A survey recently carried out for IBM found that 77 per cent of respondents believe that adopting cloud ­computing makes protecting privacy more difficult, while 50 per cent are concerned about data breaches or loss.

Indeed, when it comes to security the question now is often framed in terms of: where will my data be, who will be able to access it and how can I be assured of this and know what is really happening?

When speaking of cloud security some talk in terms of the infrastructure, some of applications and some of the smartphones or other devices that people might use to access a cloud. In reality, security in the cloud is about all of these things and more. It is important to think of which model you are buying into and ensure the security is appropriate.

In many ways, the technology has moved from being a back-office function and enabler of cost reduction to a driver of growth and value. There are several models of cloud computing , and security has to be appropriate to the model being used.

A framework for questions

When asking questions about cloud ­security having a framework helps, as does thinking about what will be needed when moving to the cloud, such as shared ­infrastructure and applications.

Elements that should be considered for inclusion in this framework are governance, a focus on the protection of data, security policy and audit measures, management of problems, management of vulnerabilities, a focus on the authentication of users and the protection of physical assets and locations.

Taking this kind of proactive approach to security and risk management means ­staying one step ahead of vulnerabilities and being more secure and resilient.

At the same time, it is clear that a one-size-fits-all approach to security in the cloud will not work. It is about getting the ­appropriate security in place for the workload (or service) that is being considered.

The fundamental things apply

The fundamentals of security apply. ­Individuals and business still want to know where their information is, who is accessing it and how it is being used so they can ­manage and protect it.

Working out where and how to apply security is central to delivering it. Cloud security can be delivered either as part of the service or as a component that can be added. Depending on your provider, it may be that a combination of these approaches is necessary.

To ensure security in the cloud ­organisations have to think strategically. Not all workloads are created equal so ­careful ­consideration must be given to each before determining its appropriateness for movement into the cloud.

Organisations must understand the ­governance and security requirements for each proposed workload and then validate whether these can be met within the cloud environment. It is only through this selective evaluation process that customers can avoid audit exposure and control the proliferation of data that may be subject to a variety of controls and residency requirements.

Roles model

There is also a need to establish clear roles and responsibilities. When adopting public and hybrid cloud solutions the relationship between consumer and provider closely resembles a traditional IT outsourcing arrangement. Therefore it is critical that each party has a clear understanding of their security obligations. For example, the responsibility for securing software as a service offering is largely that of the provider because the solution is consumed as a ­packaged static application. At the other end of the spectrum, infrastructure exposes users to a greater responsibility for securing individual virtual machines.

Call for backup

It is also essential to have a backup plan. Most public and private cloud solutions trade direct control for cost savings and efficiencies derived from the economies of scale. ­Transferring control of specific IT functions to another party does not obviate responsibility for the availability of key workloads.

Organisations must consider a provider’s disaster recovery and restoration plans in the context of their needs, keeping in mind requirements regarding service availability, data backup, data residency and so on.

Reputable cloud providers should offer a variety of service level agreements (SLAs) that include metrics such as availability, outage notification, service restoration, average time to resolve and notification of breaches. Providers should report on SLA compliance and deliver agreed remedies.

All too often organisations spend time and money developing security strategies that employ the latest – and most expensive – technical controls while turning a blind eye to the basics of risk assessment, policy ­development and the continuous validation of established and required controls.

Nick Coleman is global cloud security leader at IBM