Cloud Computing Security

Cloud Computing Security

Cloud computing security has never been so much a critical requirements as it is today. According to the siliconAngle website, the following figures reflects  the evolution of cloud usage in the last few years: · By 2015, end-user spending on cloud services was deemed to be reaching  more than $180 billion  · It is predicted that the global market for cloud equipment will reach $79.1 billion by 2018 
· If given the choice of only being able to move one application to the cloud, 25% of respondents would choose storage  · By 2014, businesses in the United States were spending more than $13 billion on cloud computing and managed hosting services  ·  44% annual growth in workloads for the public cloud versus an 8.9% growth for “on premise” computing workloads is expected till 2018 · 82% of companies reportedly saved money by moving to the cloud  · More than 60% of businesses utilize cloud for performing IT-related operations · 14% of companies downsized their IT after cloud adoption  · 80% of cloud adopters saw improvements within 6 months of moving to the cloud   · 32% of users in the US believe cloud computing is a thing of the future · In 2014, there was an estimated 1 Exabyte of data stored in the cloud.
  
· Half of the enterprises using the cloud have organization currently transferring sensitive or confidential data to the cloud · Global data centre traffic will grow threefold (a 25 percent CAGR) from 2012 to 2017, while global cloud traffic will grow 4.5-fold (a 35 percent CAGR) over the same period    · 2014 was the first year the majority of workloads was on the cloud as 51% were processed in the cloud versus 49% in the traditional IT space  · 56% of siliconAngle survey respondents trust the ability of cloud providers to protect the sensitive and confidential data entrusted to them  · 38% of enterprises surveyed, by siliconAngle, break out cloud computing budgets, while 60% include cloud-related spending as part of their enterprise-wide IT budgets.

These statistics s do not provide and exhaustive view of the current cloud computing landscape, but they highlight its emergence and its related benefits in today’s information technology landscape. When it comes to security, one may wonder if the 56% trust  the ability of cloud providers to protect the sensitive and confidential data entrusted to them, is well funded... Probably not. Indeed somehow, ignorance may be a bliss at times  but any serious enterprises should really understand what the security aspects are with the cloud and what their cloud suppliers as well as themselves should expect and implement.

For example, If your enterprise uses cloud services, ultimately, your enterprise is responsible and liable from a legal perspective for protecting your customers' data – it is not the cloud provider's liability.  For the Public Sector, privacy and compliance can even be more of a headache in the cloud as often cloud providers will have data strewn across the globe in a variety of datacentres, whereas legislation such as the EU Data Protection Directive or the UK HMG  Security Classifications lay out strict rules for how organizations must process and store personally, official  or  identifiable information, and how it can be transferred across international borders.
 
Chef Information Officers need tools that provide visibility, user access control, and data security across hosting models, user populations, and device access methods. Forrester sees the cloud security market as consisting of four different areas: cloud data protection (mainly encryption), cloud data governance, cloud access security intelligence, and cloud workload security management.
For the purpose of this blog, we are going to look at the main principles that govern cloud security. They are as follows:

Cloud Security Principle Description Why this is important

1. Data in transit protection
Enterprise data transiting networks should be adequately protected against tampering and eavesdropping via a combination of network protection and encryption.
If this principle is not implemented, then the integrity or confidentiality of the data may be compromised whilst in transit.  

2. Asset protection and resilience
Enterprise data, and the assets storing or processing it, should be protected against physical tampering, loss, damage or seizure.
If this principle is not implemented, inappropriately protected enterprise data could be compromised which may result in legal and regulatory sanction, or reputational damage. 

3. Separation between enterprises
Separation should exist between different enterprises of the service to prevent one malicious or compromised enterprise from affecting the service or data of another.
If this principle is not implemented, service providers can not prevent a enterprise of the service affecting the confidentiality or integrity of another enterprise’s data or service.  

4. Governance framework
The service provider should have a security governance framework that coordinates and directs their overall approach to the management of the service and information within it.
If this principle is not implemented, any procedural, personnel, physical and technical controls in place will not remain effective when responding to changes in the service and to threat and technology developments.  

5. Operational security
The service provider should have processes and procedures in place to ensure the operational security of the service.
If this principle is not implemented, the service can’t be operated and managed securely in order to impede, detect or prevent attacks against it. 

6. Personnel security
Service provider staff should be subject to personnel security screening and security education for their role.
If this principle is not implemented, the likelihood of accidental or malicious compromise of enterprise data by service provider personnel is increased.  

7. Secure development
Services should be designed and developed to identify and mitigate threats to their security.
If this principle is not implemented, services may be vulnerable to security issues which could compromise enterprise data, cause loss of service or enable other malicious activity.  

8. Supply chain security
The service provider should ensure that its supply chain satisfactorily supports all of the security principles that the service claims to implement.
If this principle is not implemented, it is possible that supply chain compromise can undermine the security of the service and affect the implementation of other security principles.  

9. Secure enterprise management
Enterprises should be provided with the tools required to help them securely manage their service.
If this principle is not implemented, unauthorised people may be able to access and alter enterprises’ resources, applications and data. 

10. Identity and authentication
Access to all service interfaces (for enterprises and providers) should be constrained to authenticated and authorised individuals.
If this principle is not implemented, unauthorised changes to a enterprise’s service, theft or modification of data, or denial of service may occur. 

11. External interface protection
All external or less trusted interfaces of the service should be identified and have appropriate protections to defend against attacks through them.
If this principle is not implemented, interfaces could be subverted by attackers in order to gain access to the service or data within it.  

12. Secure service administration
The methods used by the service provider’s administrators to manage the operational service should be designed to mitigate any risk of exploitation that could undermine the security of the service.
If this principle is not implemented, an attacker may have the means to bypass security controls and steal or manipulate large volumes of data.   

13. Audit information provision to enterprises
Enterprises should be provided with the audit records they need to monitor.
If this principle is not implemented, enterprises will not be able to detect and respond access to their service and the data held within it. to inappropriate or malicious use of their service or data within reasonable timescales.  

14. Secure use of the service by the enterprise
Enterprises have certain responsibilities when using a cloud service in order for this use to remain secure, and for their data to be adequately protected.
If this principle is not implemented, the security of cloud services and the data held within them can be undermined by poor use of the service by enterprises. 

Author: White Wolf Rising
Date: July 2017