CSO - I'm a CIO or CSO of a corporation that has yearly revenues of $1 billion or more. What are the security concerns that I have before I'm willing to deploy my IT infrastructure into a cloud? Let's flesh out the following security issues: What belongs in the cloud? How should sensitive data be protected? How are encryption upgrades addressed? How do I limit access to sensitive data? And how will critical systems metadata (data describing data) be tracked?
See also: Cloud security: The basics
Let's assume that each corporation has a variety of firewall segments and corresponding network equipment within the cloud-computing vendor's cloud. Each segment will have a variety of applications it supports. Because other companies may be in the same cloud, they may share the same firewall segment and network components, the same database, virtualized operating system, and virtualized storage. (Related: Small clouds: Security selection criteria)
First, let's look at some realistic security constraints about the cloud vendor. It may be difficult to deploy all a corporation's infrastructure within the cloud because of a lack of standardization within the businesses' current IT applications. For example, one of the clients I worked for had a mainframe solution that was integrated with a web service. The web service interfaced with a POS (point of sale) system and communicated with the mainframe using a proprietary port over TCP/IP. The mainframe received and stored sensitive credit information. For this solution, all of the POS solution, web service, and TCP/IP communication could be put in the cloud. But, the mainframe's application, proprietary storage infrastructure, and encryption techniques make it hard to put it into the cloud. The mainframe application could be potentially ported but would likely require a difficult rewrite. It would not be wise to do this without performing a ROI (return on investment) review.
A second concern is access to sensitive data. How is sensitive data stored in the cloud? SAN (storage area network) subsystems stripe data over many drives in the storage array. Do I want to stripe encrypted data over the entire array of disks? My concern is that corruption in a database, file system, or a disk or solid state drive may spread to other applications sharing data (virtualized) within the same subsystem. So I want a method to isolate the encrypted data in the database, file system, or on disk. The bounding of data will limit the effects if corruption occurs.
Thirdly, how is the encryption algorithm for the stored data going to be updated? Encrypted data that is stored within various databases and file systems will need to be upgraded because as processor speeds increase it is easier to hack data. So this data will need to be unencrypted with the older encryption algorithm and re-encrypted with a new algorithm. Because of the newer algorithm, the newly encrypted data may take up a larger footprint in the database or file system. This also needs monitoring.
Free Insider GuideCopyright © 1994 - 2013 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.
