The benefits of cloud computing are clear. But in terms of cloud security, moving to the cloud means sharing massive amounts of IT resources among many users and security processes. The negative implications of this are often hidden beneath layers of abstraction. In fact, the flexibility and openness of the cloud computing model has created a number of security concerns about the privacy, integrity and availability of data. These concerns often make companies anxious about moving to the cloud.
Can you trust the cloud? Does the fact that moving to the cloud means shifting much of the responsibility and control of your data and operations from the client organization to a cloud provider present a roadblock to adopting the cloud? The following is a closer look at some of the legitimate risks and concerns:
Where Does Your Data Reside?
Company information is probably the most valuable asset in every organization, and protecting data confidentiality and integrity is the most fundamental directive of information security. This core principle is even more essential when a company’s sensitive information resides offshore and when the data moves further from the client’s control. Many organizations aren’t exactly sure where and in what way their data is stored, including who has access to it. Typical concerns arise in relation to how the data is allocated, archived and distributed. On the other hand, regulatory compliance has become more and more restrictive. For example, certain regulatory requirements in the European Union expressly forbid limited control capability over sensitive data, especially when it is unknown whether the data might have been sent outside EU borders.
What Are the Cloud Security Implications of a Shared Environment?
Essentially, the cloud represents a shared environment for co-hosting many tenants’ information assets and data. For cloud security, this implies a company’s data shares the same infrastructure and information resources of the cloud environment together with all other tenants (clients). Such a setup certainly makes you wonder whether your data is properly segregated and protected from unauthorized access. Theoretically, misconfigured virtual domains or poorly defined policy-based security zones can mean potential data leakage or intrusions between tenants. This could lead to distributed denial-of-service attacks and massive sensitive data compromise and loss.
If You Move Your Data to the Cloud, Are You Off the Hook If a Security Breach Occurs?
Another attractive aspect of moving to the cloud is that it can offer a highly automated, highly standardized, flexible and optimized IT environment. Because of this, you might assume security breaches are less likely. Moreover, you probably trust your cloud supplier to secure your data. Just keep in mind that your data still remains defenseless against an internal security breach. You have not shifted the ownership and accountability of a potential security breach, just its location.
The bottom line is that the cloud is a disruptive technology, just like the Internet once was, and some people are scared of disruptive technologies. Of course, there are some legitimate cloud security concerns, but policies should not be written based on fear. The risks must be analyzed so you can find the proper controls and countermeasures.
Follow me on Twitter at @Ivtivanov.