NIST defines cloud computing as a "model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or cloud provider interaction."
NIST contends that small organizations that have limited IT resources have a potential security upside in migrating to public clouds. The advantages of moving to cloud are :
1. Large cloud providers like amazon hire specialized security experts to protect the cloud from attacks and data corruption. This degree of staff specialization is generally better for normal customers.
2. Platform strength: Cloud computing architecture is massive and uniform . This allows cloud providers to automate security management activities security audits, and security patching . Such activities in general provide better security.
3. Resource Availability: Due to infrastructure on demand, the organizations can protect against the data corruption by building in redundancy on the cloud.
4. Backup and Recovery: The backup and recovery provided by cloud providers are better than what a small organization can afford on its own.
5. Data Concentration: What would happen if your work laptop was stolen and it contained all the company secrets ? Cloud allows for data concentration , hence preventing data compromise in events like theft.
NIST contends that small organizations that have limited IT resources have a potential security upside in migrating to public clouds. The advantages of moving to cloud are :
1. Large cloud providers like amazon hire specialized security experts to protect the cloud from attacks and data corruption. This degree of staff specialization is generally better for normal customers.
2. Platform strength: Cloud computing architecture is massive and uniform . This allows cloud providers to automate security management activities security audits, and security patching . Such activities in general provide better security.
3. Resource Availability: Due to infrastructure on demand, the organizations can protect against the data corruption by building in redundancy on the cloud.
4. Backup and Recovery: The backup and recovery provided by cloud providers are better than what a small organization can afford on its own.
5. Data Concentration: What would happen if your work laptop was stolen and it contained all the company secrets ? Cloud allows for data concentration , hence preventing data compromise in events like theft.
However the disadvantages of cloud computing paradigm to security and privacy issues are as follows:
1. Cloud computing are more complex.They have many more components like resource metering and quota management software. This increases the attack surface and hence the risk of a attack.
2. Shared Multi-tenant Environment : An attacker posing as a consumer can use the shared resources and network components to launch an attck .
3. Internet-facing Services: By definition the cloud serveries are delivered over the internet. Hence it is more difficult to maintain security as compared to computers that had access only to intranet.
4. Loss of Control :Is your money safer in your bank or in your safety locker ? While keeping money in bank you are trusting the bank to protect your resources better.You are relinquishing your control over your money. It is similar in terms of data for an organization that migrates to cloud.
2. Shared Multi-tenant Environment : An attacker posing as a consumer can use the shared resources and network components to launch an attck .
3. Internet-facing Services: By definition the cloud serveries are delivered over the internet. Hence it is more difficult to maintain security as compared to computers that had access only to intranet.
4. Loss of Control :Is your money safer in your bank or in your safety locker ? While keeping money in bank you are trusting the bank to protect your resources better.You are relinquishing your control over your money. It is similar in terms of data for an organization that migrates to cloud.
Broadly NIST recommends the following approach to analyzing the system security of a cloud deployment.
1. Determine Security objectives of Organization
2. Perform an analysis of the risk for client's data , application and infrastructure.
3. Make an inventory of policies, procedures, and technical controls used by a cloud provider. These are generally captured in Service Level Agreement (SLA) and terms of use .
4. Establish a new SLA with the cloud providers if a gap exists between organizations security requirements and the cloud provider’s standard security.
5. Ensure that the client-side environment meets your privacy requirements .
6. Choose the appropriate deployment model (Public cloud, community cloud, private cloud or community cloud).
7. Determine who is accountable for the privacy and security of data and applications that you have put in cloud.
8. Governance: Put in place auditing procedures to check for the software isolations and data protection.
9. Develop an appropriate incident reporting mechanism so that the intrusions are detected and reported to the client in a timely manner.
1. Determine Security objectives of Organization
2. Perform an analysis of the risk for client's data , application and infrastructure.
3. Make an inventory of policies, procedures, and technical controls used by a cloud provider. These are generally captured in Service Level Agreement (SLA) and terms of use .
4. Establish a new SLA with the cloud providers if a gap exists between organizations security requirements and the cloud provider’s standard security.
5. Ensure that the client-side environment meets your privacy requirements .
6. Choose the appropriate deployment model (Public cloud, community cloud, private cloud or community cloud).
7. Determine who is accountable for the privacy and security of data and applications that you have put in cloud.
8. Governance: Put in place auditing procedures to check for the software isolations and data protection.
9. Develop an appropriate incident reporting mechanism so that the intrusions are detected and reported to the client in a timely manner.
Though this is the initial framework from NIST , we expect it to evolve as the technology matures and the more vulnerabilities are uncovered.
- Abhijith and Benoy
No comments:
Post a Comment