Survey after survey continues to show clients’ number one concern of using cloud computing is security—over 50%. So cloud providers are focused on this and are making continual progress. Some of the most often cited areas of concern:  

•             Securing data at rest and in transit (encryption & key management)

•             Authentication of users (Identity & access management)

•             Separation of data in the multi-tenant environment (using VM’s and hypervisors)

•             Legal and regulatory issues

•             Incident response notification and roles

Given the compelling benefits of adopting cloud computing clients, especially small and mid-size clients can’t wait until most of the security issues are resolved.

Bottom line cloud premise---Data anywhere at any time in any volume

Assess how, what & when client moves to cloud

Put client assets being evaluated for the cloud in two groups:

•             Data

•             Applications/functions/processes

Then decide how sensitive/important the asset is to the client by assessing confidentiality, integrity and availability requirements. This is similar to how you would assess the assets for outsourcing with more options to consider.                                                                                                                                   Types of information that may be too sensitive to put in the cloud: intellectual property, client’s financial information, health data, and employee records.                                                                                                                                                               Next evaluate whether risks of each deployment model are acceptable. Deployment models (with variations): Public, private, community, or hybrid.

Next focus on degree of risk control you will have with each model. This is where the security assessment questions we will discuss later are employed as you evaluate specific cloud providers.  Then map out exactly if and how data moves in and out of the cloud deployment model you select. It is key here to identify risk exposure points.

Service model -

Software as a Service (SaaS). The capability provided to the client is to use

The provider’s applications running on a cloud infrastructure. The applications are

Accessible from various client devices through a thin client interface such as a web

Browser.  Assessing a potential provider in areas of incident response, application security, and identity access management will be most important to the client. As a current example of how critical model selection is many solution providers are helping medical providers’ select Electronic Health Record solutions to meet federal guidelines. The SaaS vs. client server model must consider hacking incidents which alter or .destroy patient medical information and long term data management/retention issues. Vetting SaaS suppliers on their security profile around these issues is critical not just for security concerns but compliance with HIPAA and HITECH.

Platform as a Service (PaaS). The capability provided to the client is to

Deploy onto the cloud infrastructure client-created or acquired applications created

Using programming languages and tools supported by the provider. The client does

Not manage or control the underlying cloud infrastructure but has control over the deployed applications. Assessing provider in areas of virtualization and application security will be most important to client.

Infrastructure as a Service (IaaS). The capability provided to the client is

To provision processing, storage, networks, and other fundamental computing resources

Where the client is able to deploy and run software like operating systems and applications.

Assessing provider in areas of data center operations, encryption and virtualization will be most

Key Security Assessment Questions by Domain/Area:

Now review key security assessment questions by the domains developed by Cloud Security Alliance organization (http://www.cloudsecurityalliance.org/) to ask potential providers in assessing their security profile vs. security controls the client considers critical.  You should review with your client. Then pose the ones deemed critical and use the answers to trigger further questions if not answered to client satisfaction.  The CSA organization developed security assessment questions designed to be SPECIFIC to the cloud computing model to minimize duplication with other models like client server, hosted etc.

Summary

        Cloud providers are moving aggressively to minimize valid security concerns and speed up adoption. As                      an example of reducing barriers adoption due to security concerns the Payment Card Industry Council in issuing PCI DSS 2.0 last year expressively clarified that data could reside in a virtualized environment. Previously it was unclear but now it can be executed in the public cloud and be in regulatory compliance.

        The reality is that many large clients have special valid concerns that make private clouds more     attractive in the near term.  However, most of SMB clients will realize better security due to the public provider’s investment in robust security controls than they have themselves.

         Assessment guidance exists now and is being enhanced often to help you guide your clients through their cloud security concerns so they can realize the compelling benefits of this model now.