Security in the Cloud and Elsewhere

September 21st, 2010

Security, in the cloud or elsewhere, is a crucial topic that could fill many pages. There are however a smaller number of summary requirements that should be examined by IT architects.

As companies move or build solutions in the cloud, having a consistent security model is vital to simplify development and to avoid vendor lock-in and preserve their IT investments.  However, the same applies to internal private cloud configurations or just plain IT systems in general.

With a cloud-based application, access control is just as important, but the infrastructure, platform and application of security is under the direct control of the cloud provider. The Cloud Security Alliance (CSA) published the second edition of its guidelines for secure cloud computing, delivering a document that sets out an architectural framework and makes a host of recommendations around cloud security.

The following section describes the relevant security controls as discussed by CSA.

Security Control

Description

Asset Management It must be possible to manage all of the hardware, network and software assets (physical or virtual) that make up the cloud infrastructure. This includes being able to account for any physical-or network-based access of an asset for audit and compliance purposes.
Cryptography:

Key and Certificate Management

Any secure system needs an infrastructure for employing and managing cryptographic keys and certificates. This includes employing standards-based cryptographic functions and services to support information security at rest and in motion.
Data / Storage Security It must be possible to store data in an encrypted format. In addition, some consumers will need their data to be stored separately from other consumers’ data.
Endpoint Security Consumers must be able to secure the endpoints to their cloud resources. This includes the ability to restrict endpoints by network protocol and device type.
Event Auditing and Reporting Consumers must be able to access data about events that happen in the cloud, especially system failures and security breaches. Access to events includes the ability to learn about past events and reporting of new events as they occur. Cloud providers cause significant damage to their reputations when they fail to report events in a timely manner.
Identity, Roles, Access Control and Attributes It must be possible to define the identity, roles, entitlements and any other attributes of individuals and services in a consistent, machine-readable way in order to effectively implement access control and enforce security policy against cloud-based resources.
Network Security It must be possible to secure network traffic at the switch, router and packet level. The IP stack itself should be secure as well.
Security Policies It must be possible to define policies, resolve, and enforce security policies in support of access control, resource allocation and any other decisions in a consistent, machine readable way. The method for defining policies should be robust enough that SLAs and licenses can be enforced automatically.
Service Automation There must be an automated way to manage and analyze security control flows and processes in support of security compliance audits. This also includes reporting any events that violate any security policies or customer licensing agreements.
Workload and Service Management It must be possible to configure, deploy and monitor services in accordance with defined security policies and customer licensing agreements.

Let Daniel L. Ruggles  and the team at PM Kinetics, LLC help you navigate the complexities of IT Governance, Cloud Computing, Sourcing & Capital Planning, Vendor Management, IT Security, and Infrastructure planning & execution. For more information on our technical consultancy services, contact or call PM Kinetics today at (678) 528-7399.