The cloud landscape continues to evolve quickly, and, as a true ecosystem, has seen the introduction of several new technologies, delivery models and players into the market. It is characterized by pooling and sharing of resources, broad network access, rapid elasticity, on-demand service provisioning (with a strong self-service element), offering measured service, supporting (although not necessitating) multi-tenancy. Cloud architecture offers a means of delivering information and communications technology (ICT) infrastructure, platform (i.e. application execution environment) and software as a service (SaaS), all of which support private, community, public and hybrid deployment models. The benefits of the cloud include cost and performance optimization, economy of scale, flexible utilization and charging model, ease of connectivity and access to shared services, cost efficient introduction of redundancy and continuity of provision.
These benefits of the cloud model for IT service delivery are attractive, but the very nature of the model means that customers have less direct control over the infrastructure and the data that is being hosted or processed by the external cloud providers. While this perceived lack of control is not a new development, the relatively new model of the cloud brings this issue into highlight.
Security, resilience and compliance are the main concerns that are challenging wider use of cloud computing and are the most likely to drive remaining innovation and market differentiation efforts in this area. The key security challenges facing cloud computing include regulatory compliance, absence of security standards and certification, confidentiality and integrity of data at rest or in motion in the cloud, data and process isolation, multi-tenancy of shared security services. Such challenges come on top of the common security issues relating to the exposure points and layers offered as a service (i.e. infrastructure, platform, and software), the risk of externalizing management processes commonly performed by privileged users, vulnerabilities introduced by inadequately protected use of virtualization technology to empower cloud services, and the security of integration with corporate IT infrastructure, and lack of implementing protection in depth, while effectively de/re-perimeterizing through the integration of cloud services into the corporate infrastructure.
And, of course, the people factor is as important with cloud as with any other new paradigm at the peak of its hype. Once in the cloud, consumers often forget that data location and protection need to be treated diligently, and may relax governance controls that should continue to be applied. In addition, security and IT management professionals sometimes lack the necessary understanding of the key differences between traditional and cloud infrastructure deployments, hence running the risk of offering misleading advice or using outdated means to tackle new problems.
Several efforts have already been carried out and are also currently underway to help organizations understand these security issues and to help plan for them. The “Security Guidance for Critical Areas of Focus in Cloud Computing” by the Cloud Security Alliance (CSA) as well as the “Cloud Computing Risk Assessment” and “Security and Resilience in Governmental Clouds” reports by the European Network and Information Security Agency (ENISA) are some of the works in which BT has been involved from the very beginning. This is part of BT’s effort to understand and address the security issues facing its customers, as well as be forward-thinking and participate in exploration of new security ideas for BT and the industry.
We will discuss these efforts in an upcoming post.
Theo Dimitrakos, PhD, Chief Security Researcher, BT
