Information Technology Reference
In-Depth Information
a security vulnerability exploit (
guest hopping
attacks), although it
is more challenging to successfully attack a hypervisor (where the
resource is isolated from the infrastructure) rather than a traditional
operating system architecture.
4.
Compliance risks
: Enterprises that have invested heavily in the attain-
ment of industry standard or regulatory certification may risk non-
compliance if the cloud provider cannot evidence their compliance
or if the cloud provider does not permit audit of its own facilities. In
practice, this means that certain certifications cannot be achieved or
maintained when using public clouds.
5.
Management interface compromise
: The web-based customer manage-
ment interfaces that cloud providers supply are also an extra risk
with regard to extra opportunities to compromise a cloud system.
6.
Data protection
: An enterprise may not be able to verify how a cloud
provider handles its data and therefore cannot establish whether the
practices employed are lawful. In the case of federated clouds, where
different clouds are linked by a trusted network, this challenge is
more complicated. Some cloud providers have achieved certified sta-
tus with regard to data handling.
7.
Insecure or incomplete data deletion
: The request to delete a cloud may
not result in the data being completely expunged, and there may be
instances when immediate wiping is not desirable.
The main purpose of any interaction with a potential cloud pro-
vider is to establish whether their security strategy is harmoni-
ous with a particular enterprise. This becomes more difficult as
an enterprise moves up the cloud computing stack. For instance,
if an enterprise is seeking IaaS, then all of the OS security upward is the
responsibility of the enterprise, not the cloud provider. If PaaS is
required, then there is some responsibility for the provider to ensure
that the OS and platform layers are secure, but again, role-based per-
missions that are part of the application layer are ultimately the respon-
sibility of the consuming enterprise. This becomes more complex if
access control is associated with OS-level security. For SaaS, the pro-
vider maintains the access to the application, but access within the
application may be managed by the customer.
Again, this becomes ever more complicated as external services are con-
sumed, thus reinforcing the need to understand security in the context of
an enterprise, before a cloud migration takes place. A solid implementation
of security in a service-based environment is much easier to transfer to the
cloud, irrespective of the level in the stack that is required. The key concept
Search WWH ::
Custom Search