Survey after survey continues to show clients’ number one concern of using cloud computing is security—over 50%. Some of the most often cited areas of concern:
• Securing data at rest and in transit
• Authentication of users
• Separation of data in the multi-tenant environment Legal and regulatory issues
• Incident response notification and roles
Given the compelling benefits of adopting cloud computing clients (especially small and mid-size clients) can’t wait until most of the security issues are resolved:
• Reductions in infrastructure and application costs
• Faster deployment of solutions
• Increased efficiency
• Increased flexibility and options
• Improve customer satisfaction

Bottom line cloud value---Data anywhere at any time in any volume.
Many clients won’t wait until the world declares cloud computing “safe”. In fact a recent 1/11 Ponemon Institute study shows Less than 50% clients evaluate security. The study also says that 22% of business-critical applications or services are already in the cloud. The adoption rate is outpacing the resolution of security issues. The task of a “trusted advisor” is to assist clients in evaluating meaningful security risks and the security of cloud providers.

Assess What And How Client moves to cloud
Put client assets being evaluated for the cloud in two groups:
• Data
• Applications/functions/processes

Then decide how sensitive/important the asset is to the client by assessing confidentiality, integrity and availability requirements. Types of information that may be too sensitive for the cloud: intellectual property, client’s financial information, health data, and employee records. Then evaluate whether risks of each deployment model are acceptable. Deployment models (with variations): Public, private, community, or hybrid.
Then focus on degree of risk control the client will have with each model. This is where security assessment questions are employed as you evaluate specific cloud providers. Then map out exactly if and how data moves in and out of the cloud deployment model you select. It is key to identify all major risk exposure points. You and the client should now understand both the importance and risk tolerance for what is being considered to move to the cloud under acceptable deployment models.

Low value assets need a lower level of controls and might not need –on-site inspections and complex encryption schemes. High value assets might require extensive audit and data retention requirements. If the asset isn’t subject to regulatory requirements you might focus on more technical security controls.

Cloud security requirements vary by client size, industry and service model

Client size- Larger international clients have special concerns like where their data resides and are subject to geographical regulations. Data ownership and portability are major security issues. Smaller clients have concerns around loss of control since data is outside their physical control. As a general premise cloud security will probably be enhanced the smaller the client is since robust security controls tend to have an inverse relationship with client size.

Industry – The level of security concerns will be higher for financial clients, medical clients (HIPAA/HITECH acts), utility/energy clients (i.e. FERC) and retail clients (PCI & state breach laws)

Service model -
Software as a Service (SaaS). Capability provided to the client is use of
the provider’s applications running on a cloud infrastructure. The applications are
accessible from client devices through a thin client interface such as a web
browser. Assessing a potential provider in areas of incident response, application security, and identity access management will be most important.
Platform as a Service (PaaS). Capability provided to the client is to
deploy onto the cloud infrastructure client-created or acquired applications
using programming languages and tools supported by the provider. The client does
not manage or control the underlying cloud infrastructure but has control over deployed applications. Assessing provider in areas of virtualization and application security will be most important.
Infrastructure as a Service (IaaS). Capability provided to the client is to
provision processing, storage, networks, and other fundamental computing resources
Where the client is able to deploy and run software like operating systems and applications.
Assessing provider in areas of data center operations, encryption and virtualization will be most important.

Key Security Assessment Questions by Domain/Area:
Now you are ready to review key security assessment questions developed by Cloud Security Alliance organization (http://www.cloudsecurityalliance.org/) to assess provider’s security profile vs. security controls the client considers critical. Then pose the questions deemed critical and use the answers to trigger further questions if not answered to client satisfaction. The CSA organization developed security assessment questions designed to be SPECIFIC to the cloud computing model to minimize duplication with other models like client server, hosted etc.

Summary


Cloud providers are moving aggressively to minimize valid security concerns and speed up adoption. As an example of reducing barriers to adoption due to security concerns the Payment Card Industry Council in issuing PCI DSS 2.0 last year expressively clarified that data could reside in a virtualized environment. Previously it was unclear but now payment data could be executed in a public cloud and be in compliance.
The reality is that many large clients have special concerns that make private/hybrid clouds more attractive in the near term. However, most of SMB clients will realize better security due to the public provider’s investment in robust security controls.
Assessment guidance exists (i.e. CSA) and is being enhanced rapidly to help you guide your clients through their cloud security concerns so they can realize the compelling benefits of this model now.