Regardless of all the hype concerning the subject, security in cloud computing is not a revolution; rather it's an evolution of the age-old business model of outsourcing. The concept of cloud computing has evolved from the concepts of grid, utility, and software as a service (SaaS), and these models evolved from the application service provider in the mid-to-early 1990s.

The emerging model of cloud computing allows people to tap into a vast network of computers scattered around the world using any type of connected device to analyse an abundance of information on demand. The information resides in massively scalable datacentres, provided by an outsourcer, which are enabled by the maturity of virtualisation technology.

With any outsourcing model, business owners, not service providers, are ultimately responsible for maintaining the confidentiality, integrity and availability of their data. Before embracing any type of outsourcing model, be it cloud or traditional, businesses must exercise best practices to ensure they are working with a trusted service provider who will be gaining access to, and helping protect, sensitive company data. It is also important to note that cloud computing is fundamentally an extension of an organisation's environment, and similar vigilance needs to be in place as it relates to periodic assessments of what information is deemed "safe for the cloud".

Cloud formations

When looking at clouds, there is a need to distinguish between the various cloud categories. While cloud computing is traditionally viewed as an external service provided by a third-party entity, there are other types of cloud environments. For example, a cloud infrastructure that is hosted internal to an organisation is often- referred to as a private cloud. While private clouds do not offer the benefits of reduced capital costs, which is a main benefit of public clouds, they do reduce concerns about unfettered data access. A third option, and perhaps what will become the more common model, is a hybrid cloud infrastructure. In a hybrid cloud, data is segmented between public and private clouds. This can be considered a normal evolution of cloud computing as organisations are demanding that their critical data be protected, and will likely outsource less critical information to public environments, and self-manage their more essential data. Each variation of cloud computing introduces the need for strong security and governance but the metrics used to manage them will vary dramatically.

When organisations begin to deal with multiple cloud environments, particular emphasis should be placed on the areas of identity, access control and audit. One of the most common challenges organisations will face in the cloud is user identity and privileges. Organisations will need to be very diligent in the management of least privileged user conditions. While this represents some overhead, it also offers benefits to organisations in that they are in a better position to address regulatory conditions. Firms should adopt frequent reviews of users and should look at their roles in the organisation in order to properly assign access rights and ensure that ‘ghost users' no longer have access to systems.

This distinction proves that this new era of computing is as much about the need for security as it is about the need for communication. Businesses must not only trust their service provider, but also, during the information-gathering process, enable open communication to ensure proper oversight and control of the information being accessed. A security risk assessment should always be conducted by checking the provider's credentials, from where the service is operated, and to which external assessments the supplier adheres. More-over, service providers should provide informational assets and mechanisms that allow for real-time understanding of the security posture. In addition to a risk assessment, proper security measures must be in place at the customer's premises- to ensure secure transactions with the cloud. This is accomplished through implementation of traditional in-depth defence practices such as network and endpoint protection, coupled with managed security services for real-time monitoring and response.

Security questions

While most firms remain unaware of every-day in-house security controls and protections, the act of extending their business out to the cloud amplifies the need to increase under-standing of current security models. A cloud model implementation must offer adequate or better security and management than that currently in place. By focusing on the data involved, businesses can better understand the outsourcing process. Questions such as "Is this data mission-critical?" and "Does this represent private customer information?" enable businesses to determine the level of security they need and decide if the data load is appropriate for the cloud.

Not all business data loads are appropriate for the cloud model - as would be the case for any outsourcing manoeuvre. When considering data security, information that has external-facing attributes and is not considered mission-critical should be considered safe for the cloud. Internal-only data that is non-mission critical is also considered safe. Regardless, the appropriate levels of security should always be applied to each classification of information while minimising the likelihood of creating security or business exposures. Keep in mind though that if the data set is mission-critical, it might be most secure behind a company's own firewall. More importantly, for information that is both competitive and mission-critical, firms can best control risk by looking to manage it themselves.

As organisations transition to the cloud, the need for increased management facilities will arise, as firms will become more dependent on ‘command and control' solutions that allow for issue determination, rapid remediation, and forensics. Best-of-breed solutions will bridge both private and public cloud instances, increasing overall visibility to environmental risks, while reducing management overheads. At the same time, these tools will erode the divisions between service management, security and regulatory compliance.

As organisations take a more introspective look at security, these tangential management areas provide critical information to the security of cloud. For example, monitoring virtual environment load statistics not only provides- data on the cloud's quality of service, but can also identify high-risk areas and abnormal usage patterns.

While security risks may always be a concern in IT, businesses that embrace new technologies while maintaining strategic focus on core IT and business initiatives will be successful in the emerging technology landscape and will have the tools to better leverage existing resource investments. In order to satisfy today's challenges in the explosion of data, the need for businesses to move to the next generation of computing, cloud computing, is imminent.

About the author

Harold Moss is a security architect for IBM Software Group