Cloud Security: Introduction
The cloud, everyone’s racing to be there, the blogs and forums are a buzz – and have been for some time now. Personally though I feel that cloud computing isn’t necessarily new. It’s a new enough take on how we design, deploy and manage application and computing services and is worth the excitement. With so much excitement around, cloud security tend to be given a lesser importance than it deserves.
Consider the following facts about Cloud:
• A recent study, by the London School of Economics, underwritten by Microsoft, as covered by Forbes.com shows that growth of cloud-related jobs in the smartphone sector is set to grow by 349%.
• Depending which estimate you believe, the revenue from Cloud Computing services will be anywhere from $118.7 to $148.8 billion by 2014.
• IEEE spectrum reports a prediction of nearly a billion people subscribing to mobile cloud apps by 2014.
These huge numbers shows lot of interest and excitement of people around cloud computing. When we store our information with cloud vendors, such as Rackspace, Google, Microsoft, Dell, Apple, Amazon and the multitude of others or as a business, there’s potentially a lot at stake. This covers many things, including our privacy and our customers. So, our utmost priority is to consider the security initiatives and practices designed to make Cloud Computing as secure as any other technology solution. It’s important that we do due diligence, so that we’re as prepared as we can be for the potential downsides and can maximize the upsides.
In this article we discuss and raise few questions for your consideration. Some questions you may have thought of and discussed already, some you may not. These questions aim to help ensure that you’ve taken a good look at implications, legal requirements and other cloud security issues.
What are the Legal Responsibilities?
Depending on provider’s geographic location the provider will be subject to a number of legal requirements and responsibilities. Some of these legislations are:
• The Sarbanes–Oxley Act.
• The Gramm–Leach–Bliley Act.
• PCI (Payment Card Industry) Compliance.
Also, the type of data that is being stored may be subject to even further legislation, such as HIPPA. So before committing contract with a provider, did you verify that they comply with the respective legislation?
Are you fully conversant with the relevant acts pertaining to your business and your information? Have you taken the time to take these in to consideration during the due diligence process with your vendor & vendor solutions?
What Happens if the Provider Goes Bankrupt?
I’m not of the opinion that companies like Apple, Google and Amazon are likely to go bankrupt. But in recent years the global financial crisis and its impact has brought down old and well respected companies too. You should factor in plan to cover your data and a migration strategy to a different vendor if the need be. Are you sure and have you gone over your data recovery practices to ensure that in the event of this happening, you will have continuity of service and can continue to adhere to your stated SLAs?
How Secure Are The Data centers?
This question isn’t really new to Cloud computing and is something we all do consider. But it bears repeating. What are the security measures that your provider puts in place to secure the data centers and the information therein? Does the vendor have good intrusion detection procedures? What are the network level security features and policies like?
Then there’s the question of staff. What checks do they have in place for their staff? Is the data secured such that staff isn’t able to take it off site? Are there suitable access controls in place such that only suitably authorized personnel are able to access respective data? Have they considered role based, mandatory or discretionary access controls?
What logging is in place? When information is accessed, is there a record of it occurring? It is one thing to be able to recover from a security breach, but it’s important to know what happened, by whom and when to help ensure that it never happens again.
Is staff suitably trained? No matter if you have the best security measures in place, if staff are able to circumvent them, then their effectiveness is nearly nought. Consider the recent Apple iCloud security breach of Mat Honan’s account that set blogs and Twitter ablaze. What about a similar security breach that happened to Amazon or that happened to GoDaddy?
How Secure Are Your Web Applications?
It’s all very well and good to consider the previous questions about the vendor’s security, but what about looking closer to home? In the process of moving applications to the cloud, have we stopped to consider how secure they are? If we have a, proverbial, 12 inch thick wall all around, but leave the back door open, we can hardly complain if and when it’s abused to gain access to our data.
Does your company take application security seriously? Have you devoted sufficient budget to ensuring that your applications are resistant to the variety of attack vectors available, such as Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF/XSRF) and SQL Injection attacks?
The PHP Security Consortium, amongst others, provides a solid guide on securing your web applications. Does your development team take security seriously? If you outsource, have you stipulated that security is a must in the applications that are produced?
These are but a few of the questions that we should consider and I hope that they haven’t scared you off but it has helped ensure that you keep cloud security in mind. I truly believe that Cloud Computing can and should be an excellent leap forward and brings with it a raft of benefits that we can all prosper from. But we have to do our due diligence. What measures are you taking to ensure the security and continuity of your business in the cloud?
I’ve provided the following links should you want to learn more about the impact of security in the cloud.
• Rackspace CEO’s Cloud Computing Business Strategy
• Cloud Computing: Legal and Regulatory Issues
• Summary of the HIPAA Privacy Rule
• Moving to the cloud? Take your application security with you
• Cloud Computing Drives Mobile Data Growth
• Legal Cloud: Have It Your Way
• Cloud computing security
Matthew Setter is a software developer, specialising in reliable, tested, and secure PHP code. He’s also the author of Mezzio Essentials (https://mezzioessentials.com) a comprehensive introduction to developing applications with PHP's Mezzio Framework.