Information Security

Information security issues need to be addressed by both the users and the providers of cloud computing.

Additional discussions of cloud security are available here.

Users Security Concerns

It is important for users of cloud computing to recognize that information security responsibilities do not disappear within a cloud computing model. The primary responsibility for information security remains with the owner of the information, not with the service provider. This responsibility includes ensuring that all security requirements are satisfied in their implementation of the cloud computing model, even where services are out-sourced to an external provider. General security concerns include the following.

• Access control. How to control and assure that access to sensitive data stored or accessed on the cloud is limited only to authorized users.
• Accountability. How to provide accountability and non-repudiation for user activities conducted on cloud systems.
• Account management. How to create, manage, and close user accounts for access to cloud-hosted services and resources.
• Privacy. How to ensure confidentiality for transactions and information accessed over the network.
• Monitoring. How to monitor activities conducted in the cloud to ensure compliance with access controls and accountability and how to generate artifacts to support audit activities.
• Storage. How to segregate data stored on shared cloud storage servers.
• Separation. How to assure separation of cloud computing services and data on shared multi-tenancy servers.
• Backup and Recovery. How to provide backup and recovery capabilities for data and services entrusted to a cloud provider.
• Exploitation. How to protect cloud services and data from exploitation by unauthorized persons.
• Insider abuse. How to detect and protect against abuse by trusted users accessing cloud based systems.
• Management console security. How to protect the system's cloud-hosted management console from misuse.
• Integrity. How to ensure the integrity of data and services offered on cloud-based systems.
• Availability. How to ensure the availability of data and services offered on cloud-based systems.
• Compliance. How to ensure compliance with applicable Federal requirements for data and services offered on cloud-based systems.

Provider's Security Concerns

Providers of cloud computing services recognize that their ability to compete in the highly competitive cloud computing marketplace is influenced by the perceived security of their services. They address this in their business plan, which typically includes their concept of operation. They recognize that they have a business interest in delivering a secure solution for their customers, including both the technical and operational exposures of their solution.

Technical Exposures

Technical exposures include the information security vulnerabilities inherent in their service architecture, their systems and other underlying components.

• Architecture. A cloud computing offering includes the offeror's system architecture showing the services being provided to their customers, and the underlying functions and systems that enable these services. These include the security systems that provide the user security services discussed in the previous section. A key design consideration for the offeror is the efficiency, scalability, and cost of their solution in a competitive marketplace.
• Host and Guest Systems. The offeror's systems implement their architecture with a combination of commercial and custom hardware and software products such as those discussed earlier in this tutorial. All of these products have security vulnerabilities that can be exploited by potential intruders and attackers.
• Data Center Systems. Data center systems include the hosting environment's own infrastructure that manages the hosted server, storage, networking, power, and other environmental components. These systems are present whether the cloud computing provider is using their own data center or using a third party data center facility. The security of these systems must also be considered by the cloud computing provider since they impact their solution.

Operational Exposure

Operational exposures include the information security vulnerabilities inherent in operating the cloud computing provider's solution.

• Systems management. Continuous management is an inherent responsibility of any cloud computing provider. Their customers are relying on them to proactively monitor the availability, performance, and security of their solution and its systems. The service provider is expected to increase his capacity as needed to ensure that customer needs are satisfied. He is also expected to respond to any systems failures and security incidents and correct them immediately, preferably before they are noticed by any of the customers using these services. By their nature, these management systems provide privileged access to the cloud computing solution, making them a high priority for the system security operations.
• Systems administration. The administration of the cloud computing systems is limited to a small number of trusted users. Potential Intruders can become employees and gain privileged access. The qualification, screening, and monitoring of these privileged users is critical to the operational security of the solution to avoid system failure or compromise due to error or misconduct.
• Shared systems. The use of shared resources is a core part of the multi-tenancy attribute of cloud computing model. Potential intruders can become customers and gain legitimate user access. Inherent in the cloud computing model is the expectation that the cloud computing service provider will maintain separation for each customer's data and privacy for their transactions.