Cloud Security is one of the buzzwords in the industry today. But, what does it mean? Are there new kinds of threats with the cloud?
Cloud service providers and customers of cloud computing are two broad categories of entities who are concerned about security related to cloud services. There are many different delivery models SaaS, PaaS, IaaS etc and with each of these models there are various types of cloud – private, public, hybrid. Each of these combination potentially has it’s unique security concerns.
But, broadly speaking, cloud computing service providers are concerned about the security of the infrastructure they provide to their customers. The virtualization software used by cloud service providers now create an additional layer that needs to be configured correctly, monitored, maintained and generally protected from attackers.
The spate of hacks related to cloud services that have happened over the last year is bound to worry all stakeholders. The convenience of the cloud is so overwhelming and the benefits so immediate that there has virtually been an en masse migration to the cloud. Cloud adoption rates have hit the roof in-spite of the fear that people have over losing control over their data. Post the Snoden era, the PRISM (no pun intended) through which we view cloud security has changed our notions of data privacy on the cloud.
Preventive, detective & corrective controls should be adopted by both service providers and customers. Service providers should ensure the security of the infrastructure and the virtualization software. The management terminal needs to be recognized as a highly sensitive device and appropriate controls – logical and physical – need to be put in place. Customers should ensure that strong encryption is used for the data that they put onto the cloud with the assumption that there are agents who are always on the prowl for data. There are services today that offer to encrypt your data even before it is uploaded to your cloud storage.
Customers must ensure that the provider has adequate risk assessments done by a third party. Customers should have clarity on the location of data and the provider’s data segregation policy to start with.
Information Security, SSAE 16, ISO 27001, CISA, Cert-IN