Cloud computing is not a new concept. Many companies are already knee deep in Cloud, it is generally presented as the next logical move, particularly to replace an organization’s Infrastructure. It's also good for tech startups as it cuts out a cost on infrastructure in the early stages. The benefits of cloud are well known, however, this article explores the issues of cloud from a Security perspective. We try and present issues that are not well documented, and then offer some practical advice to be considered when deciding to go down the cloud route. We are focusing on Infrastructure as a Service in this article. Read on and enjoy…
CLOUD: The New Source of Security RisksFirstly it is important to note that tapping into public cloud services exposes you and your company to new sources of risk. This should be at the forefront of your mind when choosing which parts of your business to go on to the cloud, when selecting a supplier, and when planning your first steps towards the cloud.
Pre-Owned and Pre-Configured ImagesMany cloud providers offer pre-configured operating system images. They generally work with the click of a button. However keep in mind that someone has designed the image, and people do make mistakes. For example, in April 2011 Amazon reported that the person who published a particular image of EC2 (Elastic Cloud Computing) had included an SSH public key which meant that they could log on to any cloud users system who used that image.
Plan in Your Supplier AuditsIt is important to negotiate specific rights before signing a contract with a cloud computing provider. At the end of the day, you need to make sure there are sufficient security controls in place to maintain the Confidentiality, Availability, and Integrity of your services. At the very least you should conduct an audit of their facility as well as a vulnerability assessment, this should be carried out minimum yearly. In addition to this, you should ensure you have the right to conduct penetration tests of data and systems placed in the cloud, and these should be both electronic and physical penetration tests.
Do you know where your data is stored?Some cloud service providers try and have a ‘black box’ attitude to their services, and think that as long as your services are up and running that’s all you need to know. However it is important to note that different countries have different data protection laws, hence this should be considered and discussed as before signing any contract.
Who are you sharing your services with?One of the main selling points of the cloud is that it offers economies of scale. So your computer processing power can scale up when you have a lot of traffic or transactions on your site. In the same way, when you have not much need for CPU power it can be used by another customer who may be in need. However, it is important to recognize that with cloud many times multiple organizations may be running on the same host. And if any of those organizations become compromised this could lead to the compromise of others on the same host.