Information Technology services have always strived towards new standards for its day to day operations. Cloud computing is the new revolution, which is attracting customers globally with various offerings like reduced costs, space, etc. So what is cloud computing? When we hear the words ‘cloud computing’, many thought processes come to our mind. ”Cloud computing” is contained in the words “cloud” and “computing”. It refers to the practice of using a network of remote servers hosted on the Internet to store, manage, and process data, instead of a local server. The below diagram gives a structural overview of cloud computing and some of the different supporting infrastructures.
Clouds are of different types – Public, Private, Hybrid and some others. There are different cloud services available today depending on our requirements¾IaaS (Infrastructure as a Service), PaaS (Platform as a Service), SaaS (Software as a Service). The different services can be described schematically as below.
We are not going to discuss in detail about the different clouds and services, but will put some thoughts on the importance of having them secured. We always have all our infrastructures in a cloud behind a security device, but does that guarantee a complete security for our data or infrastructure?
With the growth of cloud computing, technology experts along with security specialists are always adopting/trying different standards to secure their infrastructure in cloud locking them from outside networks. As of today there are no universal definitions that define effective cloud security. Cloud devices are prone to attacks from cyber criminals like any other hosted devices that facilitate the need for improved cloud security.
Data privacy and data protection are major concerns for any security expert in an organization regarding their infrastructure in the cloud. Data may not get stored in the same system within a public or community cloud, resulting in multiple concerns legally. As of today, there are no safety standards and regulations stated by the providers for the customers to ensure sufficient security. In fact, there are no accepted best practices. Auditing, regulatory requirements, datacenter standards, etc. are some areas where providers offer some guidance on their cloud environments and their security. This can be a complicated approach to the ever demanding need for cloud security. Virtualization security, identity and access management, threat management, content security, and data privacy need to be given priority and require more focus.
Legal and regulatory compliance is yet another concern. If your data is subject to legal restrictions or regulatory compliance, using public clouds may not be ideal. Cloud providers may introduce a means of certification to address the need of regulated markets, but achieving certification may be challenging due to the many non-technical factors. There can be a regulatory body setup for cloud, which can set guidelines for cloud security needs.
A fundamental reevaluation of existing cloud security strategies is essential and long overdue. Data encryption all through the lifecycle can be one method of data protection. Encryption itself is not adequate to protect sensitive data from being compromised but should also have an effective security management strategy that enables organizations to develop and implement policies during a key’s lifetime and ensure that the keys used to decrypt data cannot be compromised by unauthorized users. Again all the aspects direct to having an effective strategy/policy. Therefore we need to think whether a strategic body can be formed to define standards for cloud operations.
Cloud server protection is very important and different strategies, process can be implemented as discussed below.
Importance and need for Data Privacy & Protection
In cloud we are not sure where our data resides, what we know is these are shared servers. Chances are that the data might be exposed to anonymous users. Even if the cloud provider encrypts data and has the key, the data can still be accessed by anyone working for the cloud provider. Best practice would be to trust providers whose policy allows you to maintain the encryption keys. It is important to have a strong security policy or strategy for granting access to data that resides in cloud. This can curb data leakage and protect your valuable data.
Importance and need for Identity and Access Management
Security of our IT resources is always challenging. Identity and access management has an increased importance in cloud as the data is spread across different environments and users belonging to different areas (employees, vendors, partners) have interest in the data. Therefore the need of control over who can access, what level and kind of access (read/write) forces us to define identity and access management more effectively in a cloud environment.
Importance and need for Threat Management
Cloud data traffic flows through different layers. We have visibility only to our gateways. So the traditional network intrusion system deployment can’t help here as the data feed to Network Intrusions Detection System (NIDS) is not possible. Your cloud provider may or may not have threat management capabilities, but at the end of the day if a breach happens your assets are at risk. So it is important to think about more secure ways such as host intrusion detection system. Host intrusion detection systems can detect breaches at host levels and can play an important role. Each instance in cloud can detect and alert unauthorized changes and access to the system.
Cloud security and its importance are widely being discussed today. Enterprises are moving more towards cloud, owing to different factors. At the same time it’s their responsibility to ensure that the data is safe and secure. The need for cloud security is thus a challenging and emerging topic.
An Article by By Dilraj D N and Jerin Joy