Security in the Cloud

As with any outsourced service, such as the Cloud, security is paramount. The security objectives of an organization are a key factor for decisions about outsourcing information technology services and, in particular, for decisions about transitioning organizational data, applications, and other resources to a Cloud computing environment.

SCC’s main focus and dedication lies in meeting and exceeding security challenges in the emerging Cloud environments. Security issues are the main impediment for a wider base of adoption of Cloud, however, the perception is not the reality. Cloud technology in fact is now much more advanced at security management than most in-house IT environments. The fail rate of security breach is a fraction compared to internal IT. This perception will eventually dissipate as more adoption to Cloud emerges and experience the level of security integrity.

Security and privacy must be considered from the initial planning stage at the start of the systems development life cycle. Attempting to address security after implementation and deployment is not only much more difficult and expensive, but also more risky.

The Cloud has led to a revolutionary shift in the security paradigm. Virtualization and Cloud computing are redefining or stretching traditional boundaries and perimeters in networks. Within virtualized data centers and Cloud infrastructures, data is no longer tied to one server or even one group of servers, and it can be accessed from multiple devices simultaneously.

To protect data, therefore, security solutions cannot embrace a “lock-down” mentality, or rely solely on defense at traditional perimeters. Security solutions must evolve towards an integrated security approach that follows the data from physical to virtual to Cloud environments.

Following and protecting the data requires that security take into account the context of the data. Context-aware protection shifts focus from defense inside a perimeter to smart data protection that takes into account data information such as user identity, type of data being accessed, geographical location, and more.

A data-centric security approach is ideally suited to the challenges of accelerated data flows precipitated by Cloud computing and virtual machine data storms. This approach also supports consumerization, extending data protection to the multitude of mobile devices now used by employees, giving customers back control over their data, wherever it resides.

There are four broad aspects to cloud security

Security and Privacy: Concerns such as data protection, operational integrity, vulnerability management, business continuity (BC), disaster recovery (DR), and identity management (IAM) make up the list of security issues for Cloud computing. Privacy is another key concern – data that the service collects about the user (e.g., event logs) gives the provider valuable marketing information, but can also lead to misuse and violation of privacy.

Compliance: Data privacy and business continuity are two big items for compliance. Specific issues such as geo-location of data centers, incident response procedures, eDiscovery support, and proper handling of logs and audit trails all come to focus here.

Legal and contractual Issues: Legal issues may arise in the context of Cloud computing. For instance, liability and intellectual property are two examples of legal issues that Other contractual issues include end-of-service support – when the provider-customer relationship ends, customer data and applications should be packaged and delivered to the customer, and any remaining copies of customer data should be erased from the provider’s infrastructure, etc.

Centralized Identity: Is a foundation to Cloud security and compliance. When data is moved to the Cloud, identity and access control plays a central role for both security and regulatory compliance. This is a much more significant issue than simply managing identities “in the Cloud.” Enterprises need to find technologies that enable them to extend the enforcement of access rights from their on-premise systems out to their SaaS and Cloud environments.

Ultimately, the organization is accountable for the overall security of the outsourced service. Monitoring and addressing security issues that arise remain in the purview of the organization, as does oversight over other important issues such as performance and availability.