Printer friendly version
Blue skies thinking for cloud security
10 March 2010
As cloud computing moves data and services from local systems to remote centres, the question of security for organisations must be addressed. A research paper published in the International Journal of Services and Standards suggests that a cloud-free security model is the best way forward and will circumvent the fact that cloud service providers are not yet meeting regulations and legal standards.
In the early days of computing, users accessed resources using desktop terminals connected to a mainframe. The personal computer changed all that uniting the input, processing and output devices in a single machine.
Recently, however, the merits of separating the computers on our desks and in our pockets from the processing workhorses has re-emerged especially as broadband and mobile networks have got faster. Today, countless business and individuals access their email and documents on remote web-based systems. Social networking tools, such as MySpace, Facebook, and Twitter maintain data on remote servers accessed through a web browser. Data storage and back up too are often undertaken on remote servers.
In this "cloud" model of computing, data and services are held in a connected cloud of computers and users access them from devices that are sophisticated versions of the old dummy terminals in the mainframe model. "Cloud computing is characterised by low investment cost, economies of scale, open standards and sustainability, and is being increasingly adopted by organisations," explains Manal Yunis of the School of Business, at the Lebanese American University, in Beirut.
Google and others offering online office tools and email systems, and remote web services and hosting from the likes of Amazon aimed at e-commerce sites are establishing the cloud as the future of computing. Other companies are offering cloud-based antivirus, social networking, file sharing, and other services. Almost half of all internet users are utilising cloud resources in some shape or form. While the cloud is growing, now is probably the best time to address the issue of data and service security.
Yunis has developed a model to assess all the various risks associated with relocating an organisation's data and services to remote computer servers in the clouds. "The model can be applied in assessing the security issues emanating from cloud computing, identifying the security countermeasures needed to address these issues and coordinating the efforts of the various participants to enhance information security in organisations adopting cloud computing," explains Yunis.
She points out that there are six important issues that must be addressed to ensure an organisation or individual's use of cloud computing is not compromised.
The first is "resource sharing. On shared services, there is the possibility that another user on the same system may gain access inadvertently or deliberately to one's data, with potential for identity theft, fraud, or industrial sabotage. Second, because data is held offsite data ownership might be compromised. Third, the intrinsic latency of transferring data back and forth for processing in the cloud means that some users might lower encryption levels to cut send and receive delays, giving rise to additional security concerns. Fourth, the issue of Service Line Agreements (SLAs) may lead to an organisation being refused access to data and services if there are technical, security or commercial disagreements between them and the cloud service provider. Fifth, data might be lost or otherwise compromised because of a technical or other failure on the part of the provider. Finally, negative aspects of interoperability and portability in which failure or attack of a virtual component in the processing and storage may compromise security.
Yunis' cloud-free approach to cloud security involves two points that taken together offer an optimal approach to cloud security: risk assessment of data and threats and a security management plan to address the conclusions from the assessment. The management of security risk involves users, the technology itself, the cloud service providers, and the legal aspects of the data and services being used. "This last point is critical given the fact that most cloud providers, if not all, do not meet the current compliance rules and regulations," says Yunis.
Understanding and controlling security risks when using cloud computing must be based on an analysis of the potential losses (caused by the cloud computing security risks) against potential benefits and cost savings (originating from using cloud computing's scalability and low cost) compared to conventional data storage and processing.