Cloud computing creates significant security risks. Large enterprise need to be cautious about putting sensitive information into cloud computing. We need to understand who is in control of the data once it is put out in to the cloud. IDC survey suggests 74% of security issues are significant. Who is going to pay for the DoS attacks. There is a lack of transparency and accountability about security among cloud vendors which lowers trust in them.
We need to be cautious about PII and privacy regulations especially that of Canada before subscribing to cloud services. Due to other consumers using the same cloud, there could be violation of contractual agreement. Salesforce.com is not accountable for security and Amazon web services does not have SAS 70 Type 2 certification. We need to consider the outrageous terms of use of such companies before signing up. There are many incidents that involve current cloud computing environment.
Instead of comparing of current policy and standards against cloud computing, we need to measure security in terms of realistic target. Once done correctly, it could help in the long run. However, no-SLA (like that of SalesForce.com) does not help. Private clouds can support secure collaboration wit external partners. PaaS offering may help to include proactive security into SDLC.
Instead of transferring the risks, try to improve the controls and governance for cloud. We may need to rethink our existing Risk Management processes that is suitable for cloud computing. We may require third party investigators to investigate any incidents between consumer and provider.
Since activities and data move to open and untrusted networks, we may need to rethink our existing security technologies. Key technologies include data center consolidation, server and storage virtualization, application rationalization and web based computing such as SOA.
Key enablers are enterprise key management, identity and policy services, strong authentication and federated identity.
Understand your gaps, where applicable obtain risk acceptance from business unit leaders and put security “hook” into appropriate processes so that it is under the radar of the business. Take small steps into the public cloud with low risk applications. Its better to build internal clouds so that data is in control within the business. Demand the vendor for more transparency and define better audit assessment criteria. Choose vendors who support industry standards rather than using their own cooked ones.
The topic was presented by Dan Blum of Security Risk Management at Burton Group. He recommends reading artifacts of Cloud Security Alliance.