Skip the navigation
Opinion

Clear metrics for cloud security? Yes, seriously

By Ariel Silverstone
November 17, 2009 11:12 AM ET

CSO - Since publication of my first article -- Cloud Security: Danger (and Opportunity) Ahead -- it seemed new informations and cloud solutions were appearing daily. I'm gratified, for example, to see NIST, the National Institute of Science and Technology, has published its 15th draft on cloud computing, and with it, agreed with much of the definition I proposed in the previous article: "Service-based data processing and storage capability which is flexible, extensible and virtual."

NIST suggested cloud computing has the following salient characteristics: "On-demand self-service, based upon ubiquitous network access, using location-independent resource pooling; feature rapid elasticity and provide a measured service."

It's interesting to note that NIST specifically called out the piece about the service having to be measured. I wholeheartedly agree and take this to be a step in the maturity of cloud computing.

Security ModelsThe Jericho Forum proposed an interesting approach to cloud computing security. Starting with a description of cloud layers, it allows us to envision the problem. Here, the forum proposed that security (and identity management) are elements that cross all layers and in effect provide a design they call Collaboration Oriented Architecture (COA).

Once this foundation has been laid, they defined cloud security as a cube-shaped model that highlights various possibilities of architecture. The one addressed here is, of course, the outsourced/external/de-parameterized option. At about the same time, the Cloud Security Alliance, of which I am a member, designed a not-too-different view. The CSA broke down cloud computing into three delivery types:

  • 1. Infrastructure as a Service (IaaS)
  • 2. Platform as a Service (PaaS)
  • 3. Software as a Service (SaaS)

And then proceeded to define the cloud consumption models:

  • 1. Private
  • 2. Public
  • 3. Managed
  • 4. Hybrid

The CSA's model of service delivery stacks, however, is very complicated. While I do not disagree with their reference model, I find it to be exceedingly complex. So allow me here to define the problem statement a bit differently. Let's expand the basic three tenets of security:

  • 1. Confidentiality
  • 2. Availability
  • 3. Integrity

Clearly, in the case of cloud computing, and especially in the public/external case, we no longer have any control. Once the bits "leave our network," control passes elsewhere. Losing one control typically mandates an increase in the other controls. Here, we have another set of problems.Let us explore the remaining controls:

ConfidentialityTypically, we handle confidentiality through the use of technologies such as encryption and access control. We can still encrypt, but imagine what happens to a large data set. It has to be sent, or assembled, in the cloud, remain there in an encrypted form, and be transferred to us, for processing.

Once the data is at our location, we have to decrypt it, perform the operations needed, then re-encrypt and resend to the cloud. Doable yes. But the performance tax here is huge. While today's routers and servers no longer have their performance brought down to 1/6th by encryption, we still pay a heavy price.

Originally published on www.csoonline.com. Click here to read the original story.
This story is reprinted from CSO Online.com, an online resource for information executives. Story Copyright CXO Media Inc., 2006. All rights reserved.
Our Commenting Policies
Blog Spotlight
Sharky

This pilot fish is a contractor at a military base, working on some very cool fire-control systems for tanks. But when he spots something obviously wrong during a live-fire test, he can't get the firing-range commander's attention.

Sharky
Sharky