Please note that this is a page from a previous version of Continuity Central and is no longer being updated.

To see the latest business continuity news, jobs and information click here.

Business continuity information

Using cloud computing? Re-orientate your thinking about security

Managing cloud risks: user and provider responsibilities.

There are a number of barriers, rumours and reports contributing to a hesitant approach to cloud computing. The US is adopting faster than the UK and, whilst the financial sector is yet to embrace the cloud wholeheartedly, UK and European governments are moving forward.

So what are the risks? London-based information security experts, Quantainia, offer a plain speaking assessment of where the risks are clouding people’s judgement and pose the questions that must be asked:

The drivers for cloud computing hang on cost efficiency, scalability and ease of use. But does all this outweigh the risks?

To many, the notion of putting more data and more applications on the Internet via the cloud model presents vast new opportunities for criminal activity through identity theft and mis-appropriation of intellectual property, hacking, and other forms of malicious activities.

Key to the cloud is that the user organization is not responsible for anything below the level of its own data; but if senior management needs controls in place to accept accountability for successes and failures, how can they balance both sides of the equation if audit is not possible? That’s the business dilemma; how to maintain control?

Seeding a corporation for cloud computing requires attention to key security areas:

  • Bringing machines up to date where security patch levels mean controls are weak;
  • Avoiding already compromised machines giving unauthorised users access thereby negating any controls in place;
  • Segmenting users with differing trust levels and managing users’ methods (down to minutiae such as secure memory stick use);
  • Fundamental issues of multi-tenancy – who are your neighbours and can they jump your fence?

So that’s the user’s part of the deal. What about the cloud’s responsibilities?

Given that firewalls are shared among all the cloud’s users, they will be configured for the lowest common denominator. Similar considerations will apply to network controls, not to mention the controls over hypervisors. Cloud service providers have an interest in limiting the variation of hardware – introducing too many bespoke, tailored platforms has serious cost implications so what protections DO they have in place for your data – and how safe are the virtual machines?

Businesses must ask whether their virtual machines, or those of ‘neighbours’ on the cloud, can be stolen – and along with it their data (and access to it)? Indeed, where IS the data, and does this have any regulatory implications? Equally, can the segmentation or any other technical or management characteristics, be audited independently and ultimately, how will data be transferred or destroyed on termination and how is encryption handled?

The relationship between sector developments and the intra-corporate reaction time mean these parameters can shift almost as fast as the questions arise and where large organizations’ protocols take time and money to reconfigure, it makes impractical the idea of remaining fluid with industry trends.

Therefore, from a security perspective, there is a burning need to focus on the logical layer.

1. Treat the network as public - you can’t manage your neighbours, so this is something you must accept.

2. Harden virtual machines - the object here is to draw in the scope of the perimeter from the potentially flakier limits of the hypervisor to that of the virtual machine itself.

3. Consider what additional products you may need. For example data encryption solutions which holds the keys outside the cloud or software which builds security into the virtual machine.

But the most crucial factor is to re-orientate your thinking about security, thinking inside out from the virtual machine to the perimeter rather than outside in securing the perimeter, then considering what lies on the ‘light’ side will help you.


•Date: 29th July 2011 • Region: UK/World •Type: Article • Topic: Cloud computing

Business Continuity Newsletter Sign up for Continuity Briefing, our weekly roundup of business continuity news. For news as it happens, subscribe to Continuity Central on Twitter.

How to advertise How to advertise on Continuity Central.

To submit news stories to Continuity Central, e-mail the editor.

Want an RSS newsfeed for your website? Click here