Information Technology Reference
In-Depth Information
however, is the depth of the infrastructure that is being entrusted into
the cloud. Both data storage and customer care management are discrete,
vertical functions that have been devolved to third parties. The devolve-
ment of infrastructure/applications/services is a horizontal function that
contains the heart of the organization's operations.
Such is the potential complexity of the situation that enterprises adopt
a risk-based approach to security. This is where controls are prioritized
toward areas where security risks are the most damaging. One part of a risk-
based approach is to ensure that service-level agreements (SLAs) are in place.
However, SLAs are often used to protect the supplier, not the customer,
again underlining the importance of understanding the security detail so
that the requirements are catered for properly. So, even though you may be
impressed with the physical security during the sales tour of the cloud pro-
vider's premises, it is still your responsibility to ensure that all of the other
aspects of security are assured as well.
Access control is an example of perimeter security. Without an account
and a password, you cannot penetrate the perimeter of the network. This
assumes though that those who have an account are honest and trustworthy.
Unfortunately, most breaches in security are the result of employees who
have legitimate access, and they are rarely detected. These internal threats
don't go away if you move to the cloud, unless the cloud provider offers a
more secure service that you can utilize, which adds protection over and
above what you are currently using.
When dealing with security, it helps to be paranoid. Migrating systems to
the cloud might increase the headcount of people who have access to your
data, so your security strategy must have a provision to deal with threats from
the inside. While virtualization is seen as an example of a specific technology
that has enabled the cloud delivery model to become workable, it also com-
plicates the demands placed upon a security strategy as servers, storage, and
even networks are now executing in virtual environments. Rather than the
traditional risk of an employee divulging a password or snooping around a
system, an employee of a cloud provider might only have to provide access
to the virtualization layer for havoc to be wreaked. In fact, if we consider the
elasticity function of a cloud resource, any hacker would have plenty of com-
pute resource to use for nefarious purposes if granted some access to a cloud.
The provision of IT security is a challenge, and the effort required to do
it can make the migration to cloud appear an attractive one if it reduces the
hassle. However, the enterprise is placing trust in its provider and needs to
assure itself that the provider's capabilities are at least as good as the cur-
rent architecture. Another factor is that today's IT systems are complex and
becoming even more intricate and bespoke. The traditional model of secu-
rity is to define a hard security perimeter (usually around the data center)
and monitor all inbound and outbound traffic. The problem with multiten-
ant clouds is that all sorts of traffic will be present at the access point, and in
fact another enterprise's traffic might be deemed as hostile, even though the
Search WWH ::
Custom Search