In general; the security aspects of a cloud computing service are primarily the concern and prerogative of the cloud computing service provider. All would-be customers should check very thoroughly the proposed providers intended operating procedures and practices as well as their track record in these regards.
Due to the very nature of cloud computing the user of cloud computing services is for the large part totally dependent upon the cloud computing service provider for such administrative responsibilities as data security, backup, disaster planning and recovery, encryption, accessibility, authentication, regulation and many regulatory requirements.
Data Sanitization – Data sanitization practices need to be examined very carefully indeed. What happens to data stored in a cloud computing environment once it has passed its user’s “use by date” is another concern. What data sanitization practices does the cloud computing service provider propose to implement for redundant and retiring data storage devices as and when these devices are retired or taken out of service.
One of the biggest issues facing many would-be cloud computing service users is that it is very hard for the customer to actually verify the currently implemented security practices and initiatives of a cloud computing service provider because the customer generally has no access to the provider’s facility which can be comprised of multiple facilities spread around the globe.
Service User Concerns
Among the areas that Gartner Research found in a recent survey of potential cloud computing client companies were issues regarding online transactions, Payment Card Industry (PCI) compliance requirements and matters directly relating to Privacy and Privacy legislation and for good reason.
Time and time again the “big boys” have assured us that all is OK and well under control only for disastrous breach of privacy incidents to become daily news headlines with each subsequent event outdoing all those before it in terms of the enormity of personally identifiable information that has been “leaked”. I think that perhaps the term that would be more appropriate to use is “The flood gates have opened” because it appears to be more of a “flood” of personally identifiable information rather than a “leak”.
Recent Events – Financial institutions are under considerable duress in the current economic climate and compounding problems with highly suspect information security practices may not be in the best interests of all; at least not at this juncture in time. In fact the recent release of tighter provisions concerning payment card transactions and practices by the payment card industry providers (banks etc.) reflect exactly this.
Denial of Service Attacks – Other concerns worthy of note relate to countermeasures and downtime ratios. What is the cloud computing service provider doing to negate the effects of Denial-of-Service (DoS) and Distributed Denial of Service (DDoS) attacks? These are very important questions that all future cloud computing customers want answers to now.
Backup and Restoration Practices – With many people believing that Murphy was right in saying; “If it can go wrong it will” the question of backup and restoration procedures needs to be addressed. Does the service provider use multiple site storage strategies or do they have all their eggs and yours in the one basket?
Encryption – Potential customers are concerned with encryption standards and practices of the cloud computing service provider. Is it possible for all of my data to be fully encrypted? What algorithms are used? Who holds, maintains and issues the keys?
Confidentiality – Encryption only goes part of the way in addressing concerns of confidentiality. Using Virtual Private Networking (VPN) technologies would definitely be a good idea. At least in this way we can be assured that all data transferred across transmission media will be encrypted.
Authentication – Another primary concern is in the area of authentication; not just of our authorized personal but of theirs (the service provider’s staff) as well.
Accessibility – This involves not just who or what has access to the data but the data’s availability to duly authenticated authorized persons as well.
Physical Security – As always physical security needs to be addressed. Just because we the customers cannot gain entry to a cloud computing service provider’s facilities does not prove that said provider has sufficient effective physical security measures in place.
Documentation – Testing and drilling play an important part in physical security so it would only be reasonable for the potential customer of cloud computing service providers to at least see some documentation regarding the implementation, maintenance, reviewing and upgrading of security practices, procedures and policies. If they can’t provide such documentation on demand then I would seriously doubt it they even had any. The warning bells should be ringing rather loudly at this point.
Service Level Agreements (SLA)
There can be little doubt that the Service Level Agreements (SLAs) that the customer of cloud computing services will need to negotiate with their prospective cloud computing services provider will for the reasons outlined above take on ever greater importance than has often been the case with Help Desk type SLAs in the past. Whether the cloud computing services provider develops a range of SLAs themselves or their prospective clients develop them remains to be seen.
What is clear is that the metrics of such SLAs do need to be very clearly detailed with clear and precise delineation of roles and responsibilities regarding a broad range of potential eventualities. It might pay to get the lawyers in on this one.
Well I hope this gives you some food for thought before you go diving off the deep end. Remember the old saying “Let the buyer beware”.