Clear metrics for cloud security? Yes, seriously
CSO - Since publication of my first article -- Cloud Security: Danger (and Opportunity) Ahead -- it seemed new informations and cloud solutions were appearing daily. I'm gratified, for example, to see NIST, the National Institute of Science and Technology, has published its 15th draft on cloud computing, and with it, agreed with much of the definition I proposed in the previous article: "Service-based data processing and storage capability which is flexible, extensible and virtual."
NIST suggested cloud computing has the following salient characteristics: "On-demand self-service, based upon ubiquitous network access, using location-independent resource pooling; feature rapid elasticity and provide a measured service."
It's interesting to note that NIST specifically called out the piece about the service having to be measured. I wholeheartedly agree and take this to be a step in the maturity of cloud computing.
Security ModelsThe Jericho Forum proposed an interesting approach to cloud computing security. Starting with a description of cloud layers, it allows us to envision the problem. Here, the forum proposed that security (and identity management) are elements that cross all layers and in effect provide a design they call Collaboration Oriented Architecture (COA).
Once this foundation has been laid, they defined cloud security as a cube-shaped model that highlights various possibilities of architecture. The one addressed here is, of course, the outsourced/external/de-parameterized option. At about the same time, the Cloud Security Alliance, of which I am a member, designed a not-too-different view. The CSA broke down cloud computing into three delivery types:
- 1. Infrastructure as a Service (IaaS)
- 2. Platform as a Service (PaaS)
- 3. Software as a Service (SaaS)
And then proceeded to define the cloud consumption models:
- 1. Private
- 2. Public
- 3. Managed
- 4. Hybrid
The CSA's model of service delivery stacks, however, is very complicated. While I do not disagree with their reference model, I find it to be exceedingly complex. So allow me here to define the problem statement a bit differently. Let's expand the basic three tenets of security:
- 1. Confidentiality
- 2. Availability
- 3. Integrity
Clearly, in the case of cloud computing, and especially in the public/external case, we no longer have any control. Once the bits "leave our network," control passes elsewhere. Losing one control typically mandates an increase in the other controls. Here, we have another set of problems.Let us explore the remaining controls:
ConfidentialityTypically, we handle confidentiality through the use of technologies such as encryption and access control. We can still encrypt, but imagine what happens to a large data set. It has to be sent, or assembled, in the cloud, remain there in an encrypted form, and be transferred to us, for processing.
Once the data is at our location, we have to decrypt it, perform the operations needed, then re-encrypt and resend to the cloud. Doable yes. But the performance tax here is huge. While today's routers and servers no longer have their performance brought down to 1/6th by encryption, we still pay a heavy price.
- Amazon hiring 'top secret' IT staff as it fights for CIA work
- Empire state ends IT empire building
- No, your data isn't secure in the cloud
- Snowden revelations may cost U.S. cloud providers billions, says study
- DHS shifting to cloud, agile development to boost homeland security
- Cloud computing's big debt to NASA
- Coke bottler picks SaaS over SAP
- Inmate data paroled from mainframe
- An end to the free online tax ride nears
- Netflix guts data center in shift to cloud
- 18 Hot IT Certifications for 2014
- CIOs Opting for IT Contractors Over Hiring Full-Time Staff
- 12 Best Free iOS 7 Holiday Shopping Apps
- For CMOs Big Data Can Lead to Big Profits
- Slideshow: 5 ways to lock down your mobile device
- Slideshow: 10 mistakes companies make after a data breach
- How to rob a bank: A social engineering walk through
- Which smartphone is the most secure?
If you like your iPhone, you can keep your iPhone. Period.
President Obama has revealed that he's not permitted to carry an iPhone. It's too insecure for the job, he says. Instead, he's stuck with a BlackBerry. Well, someone's got to have one still. However, it turns out that the Pentagon has also outlawed non-BlackBerry smartphones. In IT Blogwatch, bloggers joke that 2006 called and they want their smartphones back.
- IT Certification Study Tips
- Register for this Computerworld Insider Study Tip guide and gain access to hundreds of premium content articles, cheat sheets, product reviews and more.
- Mitigating DDoS Attacks with F5 Technology
- This document examines various DDoS attack methods and the application of specific ADC technologies to block attacks in the DDoS threat spectrum while...
- The DDoS Threat Spectrum
- Bolstered by favorable economics, today's global botnets are using distributed denial-of-service (DDoS) attacks to target firewalls, web services, and applications, often simultaneously.
- Defending Against Denial of Service Attacks
- By utilizing end-user interviews, this whitepaper explores a deeper understanding of DDoS defense plans and reveals the knowledge gaps around the Denial of...
- Strategic Solutions for Government IT
- This paper outlines why F5 is the optimum partner to help achieve the levels of security, performance and availability that are vital to...
- Leveraging Managed Security Services to Fight Growing Cybersecurity Threats
- IT Infrastructure-as-a-Service enables agile responses to constantly changing threats. All Government IT White Papers
- Video: 5 Secrets To Scaling Enterprise Apps Watch this video to learn how to successfully scale enterprise apps>>
- Collaboration 2013: Where Mobility Meets Connectivity Mobility and collaboration are quickly converging and users are demanding more capabilities. It's no longer enough to enable file sharing. This Webcast dives...
- Modernizing SAP environments with minimum risk - a path to Big Data Hear from top IDC analyst, Richard Villars, about the path you can start taking now to enable your organization to get the benefits...
- The Power of the Citrix Mobility Solution, XenMobile Does everything become a smartphone? Or does the smartphone begin to do everything? How can we afford to support BYOD? Rather, how can...
- BYOD Happens: How to Secure Mobility How to navigate the journey of securing mobility, including the BYOD corruption of IT, the top ten mobility strategies, and the mobility management...
- All Government IT Webcasts
Does your organization offer extensive benefits, cool perks, competitive salaries, opportunities for training and advancement? Then get it recognized!
Nominate your company or another deserving organization for Computerworld's 2014 Best Places to Work in IT list now through Dec. 12, 2013.