Saturday, May 08, 2010

CLOUD COMPUTING AND ITS SECURITY IMPLICATIONS

There has lately been a lot of hype in the ICT sector about Cloud Computing (for brevity’s sake let’s call it CC). CC is a computing service from which an end user can subscribe to any of the offered ICT services. The term Cloud is used a metaphor for the internet because the computing services are accessed via the internet.

CC uses a pay-per-use model. It can be compared to as a utility service you constantly use, say for example electricity. You get the meter read every end month and you subsequently receive a bill for energy consumed. This concept also applies to CC.

CC is offered by providers (e.g. Amazon) and delivers common business applications online which are accessed from a web browser, while the software and data are stored on servers in huge data centers.

This brings huge economies of scale where the customers get software, infrastructure or applications (for example enterprise software) as an on-demand service cheap whilst the provider is able to capacity plan globally, taking advantage of time zones and other regional differences. Small enterprises would significantly benefit from the cost savings provided by CC.

However there exists an elephant in the Cloud room - security. Various concerns have been raised because many infrastructure-based clouds do not even have contracts between the vendor and the client stipulating security and continuity. Only Service Level Agreements and a monthly bill exist and if you do ever have a problem, the only recourse would be to re-locate to another provider.

Issues of security concerns that should be initially addressed include the following:

What levels of protection are in place to protect one customer from accessing another customer's data or application within a shared cloud space? Who will be liable for security breaches and how will the law regarding this in any one jurisdiction ensure compliance? How well will a CC provider integrate with a client’s security systems?

A client should also ask about the methods the CC provider is employing to protect data such as high physical security as well as what types of monitoring, intrusion detection and firewall equipment is installed in their data center.

It is expected that CC will be the wave of the future but this massive availability of resources and data within a Cloud will present a very attractive target for attackers.

1 comment:

Anonymous said...

While you analysis is very insightful, I thing it would have been much more beneficial to break down CC into the service delivery models (SaasS, PaaS, IaaS) and the different deployment models, Private, Public etc..