mardi 30 mars 2010

Take-Away from Kuppinger Cole's Cloud Computing Security Foundations Virtual Conference (Part 2)

Last week, on March 25-26, 2010 Kuppinger Cole sponsored a virtual conference on the topic of the Security Foundations for Cloud Computing. This Kuppinger Cole event has been organized around six identity and security-related questions that have been the subject of keynotes, panel discussions and analyst viewpoints. What follow are my "augmented| take-away notes of these viewpoints. In Part 1 of this post, I focus on the question of the "Cloud Computing security standards: which ones are already there and which ones are missing?". Part 2 of this post focuses on Martin Kuppinger's initial keynote around the question of "Cloud Computing, is it really a risk?"

Let's start by the end of the talk that concludes by debunking some of Cloud Computing security myths.
  1. The Cloud is not inherently insecure. It mainly depends upon the provider's ability to do a proper job with the management of the security threats.
  2. Conversely, the Cloud is not more secure than internal IT. Again, it depends on both the Cloud provider and internal IT expertise to deal with security threats.
  3. A few Cloud security issues are new. Most already exit in internal IT and outsourced service providers.
  4. Security is the problem of the Cloud provider only to the extent that it falls within the scope of its service delivery description. For example, an IaaS provider is not responsible for the security of the hosted operating system. A PaaS provider is not responsible for the security of the enterprise's data and applications. A SaaS provider is not responsible for the enforcement of the enterprise's governance and auditing policies.
  5. We can store data outside of the EU zone, but careful considerations must be taken with regard to the EU's data security and privacy regulations enforced by the member states. For example, the EU privacy laws have established regulations that prevent the disclosure of sensitive personal information without explicit consent of the user to countries outside of the EU who do not honor equivalent privacy laws. To cope with this problem, some providers are now offering features to enable sticky location of data in security zones and regions across their distributed data centers
  6. SAML unfortunately doesn't solve all the IAM issues in the Cloud. It helps to solve secure authentication issues, but doesn't help much with the larger problem of authorization.
  7. It is somewhat true that security in the Cloud can't be measured. In particular, auditing and risk metric logs are missing, due in part to the lack of standardization, as described in Part 1 of this post, although the situation should improve over time.
CEOs and CIOs need to understand that Cloud Computing requires new policies and new controls because it may give rise to new IT risks that can have an operational and even strategic impact on the enterprise's efficiency and effectiveness. Adopting Cloud Computing to externalize computing resources poses the question of ascertaining opportunities versus operational and strategic risks.

When ascertaining Cloud security risks, we tend to think more of the technology side of the issue rather than of the information side. However, this way of thinking should be reversed because, in IT, the technology is here to manage the information. Not the other way around. Therefore, information should take precedence over technology when it comes to assessing the security and risks associated with Cloud Computing. For example, enterprises should start thinking about where the information is and what it means from a security and risk management perspective before moving to the Cloud. This eventually should help to decide what kind of information can reside in a public Cloud versus what kind of information should stay on-premises. Answering this question, along with what services or applications use this information, should also help to figure out which technology and Cloud provider can fulfill the enterprise's data security and risks management requirements. Another important consideration for CIOs at the beginning and along the course of the service procurement process is how well the service continuity and security requirements are met by the Cloud provider. The risk that the Cloud provider does not fulfill these requirements should be covered by the Service Level Agreement (SLA). Thus, a precise and standard description of the service level in the SLA should constitute the foundation of a risk mitigation strategy by looking at important service procurement characteristics such as information location, security of the transport, security of storage, authentication and authorization of users, auditing interfaces, and privileged user controls.

So, yes there are risks involved in using Cloud services. Some are new and some are old, although they can be exacerbated by the diversity and multiplicity of the actors. But most risks associated with Cloud Computing are well-known and not really new or specific to Cloud Computing. Knowing these risks and understanding how well they are covered (or not covered) through a detailed service description allows drawing risk mitigation plans. Depending on the quality and expertise of the Cloud provider, some internal security weaknesses can be reduced by externalizing the procurement of IT services. On the other hand, in doing so, new risks can arise. The crucial point of the decision-making process is to strike a fine balance between taking advantage of the Cloud's numerous benefits in terms of cost cutting and improved business agility, versus new risks arising from externalizing IT services.

Aucun commentaire: