Wednesday, November 16, 2011

Cloud Security

IT has the ability to deliver almost anything that you can think of, and here is the latest entrant - The Clouds, which is now a phrase du jour in the IT coliseum already. Clouds are on the rise and so are the organizations looking ahead to capture clouds for their business practices.
Cloud Computing has changed the approach such that a cloud – user now only requires a browser for access to the company’s network. And this raises risks and compliance concerns.
Being a part of GRC, we know what matters to organizations most and here, it is their corporate data which they may put on off-premise servers. So are the clouds safe? What are the risks involved? Will the data (kept off – shore) still sync with their company's internal compliance mandates?
  
Being in the GRC domain, I had serious question in front of myself – are clouds secured and safe and what should they do to adhere with IT security norms. How can they be well-equipped to address any IT security concern raised as any organization would want clouds to be safe before putting their enterprise data on-board?
With the current economic scenario, businesses, especially mid-size, may feel the need for cost reduction and look forward to this technology to source some or all of their computing services into the cloud; but what may hold them back are the security concerns. To pass the risk and compliance test, they would need to address the following concern that comes with clouds not only for IT auditors but also for themselves. A lack of robust methodology of identifying risk areas and being compliant may derail the complete concept of clouds. 

First, we discuss the various planks which can be of major concerns to the data owners:
·      SaaS, PaaS and IaaS: Cloud providers use Software as a Service (SaaS) or Platform as a Service (PaaS i.e. providing a platform to build software applications to cloud - users) or Infrastructure as a Service (IaaS like servers) to deliver a single application through the browser serving multiple clients.
·      Use of web services: Use of web services like search engines, web portals, etc.
·      Use of Utility Computing in Clouds: Utility computing i.e. utilization of services and computing resources, such as virtual Data Centers.  
Risks Involved
·      SaaS, PaaS and IaaS: The risk of using Saas, PaaS or IaaS is that all these platforms raise issues of identifying user accounts (duplicate user accounts) and their roles and rights, misalignment of data.  In short, concerns of authorization and authentication. Here, the onus of data security lies not only on the data owners, but also majorly on the cloud providers (Cloud Service Providers), as the data is stored on any third – party software, storage blocks or platform based clouds.
·      Use of web – services: Use of web services in the clouds is crucial to IT security as traditional vulnerabilities like virus, spywares are always of concern. Apart from the traditional villains resting on the web, it is security of the enterprise data to be transmitted to these web services is also under scanner.
·      Use of Utility Computing in Clouds: Utility computing raises a high level of security concern as mission critical data of organizations are under scrutiny. The access to crucial and critical IT environments such Data Centers has always been of high concern to organizations. The fear of clouds growing dark rises, as we are actually looking into the prospects of a ‘virtual Data Center’.  

Compliance practices to tackle the risks
Addressing risk and compliance aspects is fundamental for clouds to grow. This is important as no GRC umbrella over an organization’s cloud cluster would mean a complete degradation of their enterprise data and their business practice. The best practices to tackle the mentioned risks are suggested below:
·      SaaS, PaaS and IaaS: Organizations need to focus on data security which becomes highly important as the clouds reside on storage blocks, software or platforms. User accounts and their roles and rights are absolutely crucial as well as their authorization and validation must be of primary focus to the organizations.Organizations / data owners here would also require robust cloud-based third party policies, rather than just the orthodox enterprise third party-based policies for the service providers who own the clouds (as the data now no more rest in their environment or facility).
·      Use of web services: Filtering (URL filtering) on what is to be viewed on the basis of User roles is an effective measure while using web services on the clouds. This ensures that each cloud users access what is actually necessary for their role. This takes care of access to attractive but distracting information / services, which gives an easy en-route to traditional intruders. In case web security is outsourced to a third - party, SLAs / KPIs and related policies must just not only focus on web-security and filtering concerns, but must also focus on the services to curb and prevent data loss. Here, the responsibility of these measures lies primarily with the organizations, who own the data, because it’s just not their data residing on the clouds, they actually share a room out there! What is notably important here is to realize the guidelines and policies that need to be built around these risks and consistently keep a check on them.
·      Use of Utility Computing in Clouds: To overcome security concerns related to the utilities like virtual Data Centers, it is highly recommended to locate and highlight low, medium and high-level of security concerns and risks in-depth. The policies, authorization and access to Data Centers must not only highlight but also address the risk areas and concerns that have been analyzed. The back-up and restoration methodologies adopted are of high significance too, because the Data Centers in the clouds are just not located off-shore, but are virtual as well. So, if organizations do not want the clouds to grow dark, it is important to primarily focus on the below aspects:
·         Policy management and audit capabilities for themselves and cloud-providers
·         IT security controls and the ability to transport and archive enterprise data
·         Addressing poor visibility into risk exposure properly
·         Avoiding lack of alignment from not having risk and compliance processes embedded within the business

Best practices ensure that the organizations; their corporate and enterprise data remain on cloud nine. Clouds are always pleasant to watch and GRC is all about ensuring they don’t grow dark. We won’t.