23 Aug 2012
By Kelli Korducki
Cloud computing is rapidly becoming the status-quo of the IT landscape, with services available for seemingly every possible functionality. Its efficiency-boosting benefits are multiple; documents can be simultaneously viewed and altered from more than one location, and cloud-based data storage won’t interfere with server and hard drive limits. But there are security challenges that come with storing data on the web.
John Howie, Chief Operating Officer of the Cloud Security Alliance, explains that security on the cloud is a concern on the part of both consumer and cloud provider. “Both the cloud provider and the cloud consumer have a role to play. That role will be determined by the service model.”
At one end of the scale is infrastructure-as-a-service, which Howie describes as being characterized by the heavy use of virtualization, where cloud consumers will have access to one or more virtual machines linked to the cloud provider. At the other end is software as a service, where the cloud provider exposes to the consumer only the management tools required to run a given application.
“If a consumer rents from, say, Amazon or Rackspace or another infrastructure-as-a-service provider, they are responsible for the security of that guest operating system, the operating system software operating within that virtual machine.”
This means that it’s up to the consumer to ensure that the latest anti-virus and anti-malware software updates are applied. Often, however, consumers of this kind of service will neglect to perform ongoing protective software maintenance, some under the mistaken belief that this is the role of the infrastructure-as-service provider.
“It’s actually the cloud consumer’s responsibility, in most cases,” says Howie.
With software-as-a-service, on the other hand, the onus on security falls on the provider—though the consumer always has a role around identity and access management. According to Howie, the most common security breaches under this storage model tend to result from the consumer granting too much access to an outside party, or a failure to revoke someone’s access after that person has left the organization.
Claudiu Popa, President and Principal Risk Advisor of the Informatica Corporation, observes that the consistency of secure software implementation is a key factor in data security on the cloud. “Cloud security is only as good as the weakest link in the chain, and that link is often the least security-aware developer,” says Popa, who often recommends mandatory security coding education across a company’s entire development team, to be delivered on a regular basis.
Popa recommends that organizations audit their cloud security provider’s practices before choosing who to trust with their data, and suggests that companies implement as many monitoring and alerting controls as possible to ensure timely and accurate visibility into the risk of their data.
Howie agrees that, with software-as-a-service cloud providers, consumers should make sure that secure coding practices are followed. But, in general, organizations using cloud storage can best protect their information by closely monitoring its accessibility.
“That’s the greatest risk: making sure that only people who are supposed to have access to that data do.”