The Cloud allows the procurement of IT services from both internal and external suppliers to be optimized because the services are delivered through the Internet in a standard way. The Cloud is not a single model, but covers a wide spectrum from applications shared between multiple tenants to virtual servers used by one customer and hosted internally.
The key benefit of a Cloud approach is one of scale; the Cloud provider can potentially offer a better service at a lower cost because the scale of their operation means they can afford the skilled people and state-of-the-art technology necessary to deliver a secure service.
In general, a large Cloud provider is likely to provide a better and more secure IT service at a lower cost than a small to medium sized enterprise could provide itself.
While the public Cloud offers applications shared by multiple customers, the private Cloud provides applications and infrastructure that are dedicated to a particular organization. It allows organizations to outsource the management of their IT infrastructure while retaining tighter control over the location and management of the resources.
The price to pay for this is that the costs are likely to be higher than for a public Cloud because there is less potential for economy of scale, and resilience may be lower because of the limit on service resources available.
The information security risk associated with Cloud computing depend on both the service model and the delivery model adopted. The specific risks depend on the organization and their individual requirements. The common security concerns across this spectrum are ensuring the confidentiality, integrity and availability of the services and data delivered through the Cloud environment.
The approach to managing risks from the perspective of the Cloud service user is one of due diligence – ensuring that the requirements are clearly understood, the risks are assessed, the right questions are asked and the appropriate controls are included in the service level agreements.
The principal information security related issues that organizations adopting Cloud computing need to address are summarized below. Because of the wide spectrum covered by the Cloud, their priority will depend on the Cloud model adopted and the individual circumstances:
- Ease of Purchase: Anyone can buy access using a credit card. Your organization may already be using a Cloud service without a proper assessment of the risk.
- Service Contracts: Those offered by Cloud providers are often “take it or leave it” and may contain less onerous obligations on the provider than a normal SLA. Key issues include: who owns the data, and how difficult would it be for you to get it back?
- Compliance: Identify the business requirements for compliance with laws and regulations and ensure that the Cloud provider is able to answer how they will meet these needs.
- Service Location: Identify the legal issues that relate to the jurisdiction of the geographic location of the Cloud provider, the service and the data, and ensure that service contracts address these issues.
- Data Security: Identify and classify the business data that is involved and specify the security requirements for this data in terms of confidentiality, integrity and availability.
- Availability: Identify the service availability requirements and assure that the provider is capable of meeting these.
- Identity and Access Management: Specify the business needs for identity management and access control and assure that it will be delivered securely.
- Insider Abuse of Privilege: Confirm that the Cloud service provider has processes and technology to properly control privileged access.
- Internet Threats: Determine the level of protection needed against Internet-based threats and ensure they the steps to be taken both by the Cloud provider and internally are adequate.
- Monitor: Within the Cloud service, meet the business and legal requirements of the client while separating the data relating to different clients.
Taking a good governance approach, such as COBIT, is the key to safely embracing the Cloud and the benefits that it provides. COBIT provides guidance to:
- Identify the business requirements for the Cloud-based solution. This seems obvious but many organizations are using the Cloud without knowing it.
- Determine if the functionality is currently provided by an existing internal service. If so what are the options?
- Determine the governance needs based on the business requirements. Some applications will be more business critical than others.
- Develop scenarios to understand the security threats and weaknesses. Use these to determine the risk response in terms of requirements for controls and questions to be answered. Risk IT: Based on COBIT provides an ideal framework for this.
- Understand what the accreditations and audit reports offered by the Cloud provider mean and actually cover.
Cloud computing can reduce costs by providing alternative models for the procurement and delivery of IT services. Many organizations have already adopted an outsourcing approach to internal functions that are not core and this approach naturally extends to IT. However, they need to consider the risks involved in a move to the Cloud and good governance provides a way for this.