Some Thoughts on Cloud Computing Security
This is an interesting article by George Hume from InformationWeek's Security Weblog about security issues around cloud computing.
Here are some of his thoughts and questions on the issue:
What about making sure the data is segregated? If you need to be compliant with any one of the myriad of government and industry regulations, encrypting files without segregating them just doesn't cut it. Besides, you just don't want your high-value data to be co-mingled with your low-value data. Do you? Properly segregating data is something you'd want to do anyway.
Then there's the issue of in what country your data will reside. That's right: There are regulations in many countries that forbid certain types of protected data to actually leave the physical boundaries of a country.
What about having the ability to validate how your cloud provider keeps data secure? Or, even for the ability to independently audit their policies and processes?
What about the background of the employees and administrators hired by the cloud provider?
Who will actually have access to your data? Even if it's encrypted, it can still be lost, destroyed, or your access to it cut. How does AES help you there?
What about your business continuity and disaster recovery plan?
What about data-loss prevention from the cloud?
How will your business manage identity and access management to cloud-based applications and data?
What about the fundamental security of the application code your cloud provider is using? I don't think buffer overflows and data injection attacks -- and all of the other application-based challenges we still haven't solved -- will just vaporize in the cloud.
Here are some of his thoughts and questions on the issue:
What about making sure the data is segregated? If you need to be compliant with any one of the myriad of government and industry regulations, encrypting files without segregating them just doesn't cut it. Besides, you just don't want your high-value data to be co-mingled with your low-value data. Do you? Properly segregating data is something you'd want to do anyway.
Then there's the issue of in what country your data will reside. That's right: There are regulations in many countries that forbid certain types of protected data to actually leave the physical boundaries of a country.
What about having the ability to validate how your cloud provider keeps data secure? Or, even for the ability to independently audit their policies and processes?
What about the background of the employees and administrators hired by the cloud provider?
Who will actually have access to your data? Even if it's encrypted, it can still be lost, destroyed, or your access to it cut. How does AES help you there?
What about your business continuity and disaster recovery plan?
What about data-loss prevention from the cloud?
How will your business manage identity and access management to cloud-based applications and data?
What about the fundamental security of the application code your cloud provider is using? I don't think buffer overflows and data injection attacks -- and all of the other application-based challenges we still haven't solved -- will just vaporize in the cloud.
posted by The IT Security Guy at 6:57 AM
0 Comments:
Post a Comment
<< Home