Security Elements of the Cloud

(This article was written by Bilal Mehdi, Senior Consultant, Glasshouse Technologies (UK) Ltd reveals the top ten tips for getting the most out of cloud.)

Many organisations are starting to adopt cloud computing services in order to realise efficiencies and to relieve pressures in data centre management.

However, for many that utilise could services, they are uncertain of where their information is held and indeed who owns and can access that data.

Furthermore, data that is considered secure in one country may not be secure in another. Currently in the process of trying to harmonise the data laws of its member states, the EU favours very strict protection of privacy.

In America laws such as the US Patriot Act invest government and other agencies with virtually limitless powers to access information including that belonging to companies. In a number of cases jurisdiction was the main factor for organisations in rejecting cloud computing solutions.

All this confusion and risk means that it is important to be particularly vigilant about information security both in your own organisation and at the cloud service provider's site.

Information security is a system of policies and procedures designed to identify, control and protect information and any equipment used in connection with its storage transmission and processing.

Information security for cloud computing services is largely based on security management framework of IT Services Management (ITSM).

There are four main aspects of information security management that must be considered, in order to ensure that the confidentiality, integrity and availability of an your assets, information, data and IT services are maintained: Organisational security, Procedural security, Physical security and Technical security.

Organisations should design their information security based on overall corporate governance framework. This approach will provide the strategic direction for the security activities and ensures objectives are achieved.

There is an industry standard assessment methodology for security and risk assessment called CRAMM (CCTA Risk Analysis and Management Method).

CRAMM can be used to identify the security and /or contingency requirements for a cloud computing environment. CRAMM provides a staged and disciplined approach embracing both the cloud computing provider’s (hardware and software) and internal (e.g. procedural and human) aspect of security.

CRAMM is generally divided into three stages: Asset identification and valuation, Threat and vulnerability assessment and Countermeasure selection and recommendation.

Organisation should gauge success of the security measures for their IT environment based on following main factors:

• The business is protected against internal (within organisation) or external (cloud computing services provider) security violations

• The determination of a clear and agreed policy is integrated with the needs of the business

• All security procedures are justified, appropriate and supported by organisation management

• All security procedures are agreed with cloud computing services provider(s)

• Effective education occurs for the security requirements

• An ITSM based improvement mechanism should be in place

• The availability of services is not compromised by security incidents

• Clear ownership and awareness of the security policies internally and externally (cloud computing services provider), should be present.

There's no doubting that cloud services can and do provide organisations with numerous benefits. However, it does pay for organisations to be extra vigilant when it comes to information security - the consequences could be costly and extremely difficult to solve.