Considerations for Cloud Security Use Cases
5 views
Skip to first unread message
drus...@ca.ibm.com
Nov 20, 2009, 4:50:12 AM11/20/09
to Cloud Computing Use Cases
At the end of the day, consumers will use clouds to gain access to
network, computational and storage resources they could not easily or
cost effectively acquire on their own. Each will have different
expectations and requirements for security based upon how they intend
to use those resources and what value they assign to the data and
workloads they intend to trust to the cloud.
I would say that every cloud deployment model (i.e. private, public,
hybrid, community, etc.) needs to have a security framework in place,
broken down into different aspects of security (often called controls
such as Identity/Access Control or Data Security) that can be
referenced internally (by the cloud provider) and externally (by the
cloud consumer). This framework of security controls is a common
concept and is seen as a repeated theme for various IT Security
Management compliance standards (ISO 27001, SAS 70, etc.). It is fair
for a cloud provider, regardless of their deployment model, to detail
very specific (manual or automated) security processes and control
implementations to achieve their business goals. It is equally fair
for them to decide not to support one security control or another as
long as its a conscious decision that their customers can be satisfied
with (i.e. that it is an understood and accepted risk which will not
adversely impact one's business).
If a cloud provider ever intends to be entrusted with workloads that
meet government or industry compliance standards, it is critical that
(at a minimum) they be able to show how their security framework,
controls and flows map to and meet those defined in those compliance
standards AND ALSO prove their processes and implementations are
effective.
Of course, security comes with a cost. The problem for the cloud
provider is to balance security with cost, based upon their customer
requirements and expectations to provide a baseline for security.
However, if the provider is capable they can choose to offer
additional security features, controls as "add on" services that can
in turn be offered for a fee to customers who require that "extra"
level of protection.
As many point out, cloud IT Security Management and many of the
security areas/controls are not new. However, what is different is
that the cloud consumer is giving up direct control of how security is
implemented. This means that in order to offer a similar comfort and
confidence in the cloud provider's security framework there has to be
a means to provide transparency into the actual security controls and
their implementations to the cloud consumer. This transparency
extends to various aspects of security information as well (e.g.
access logs, incident reports, threat and risk assessments, platform
updates, change management notifications, etc.).
But perhaps simply having transparency is not enough... How do you
take advantage of multiple cloud providers (and deployment models) at
the same time if each provides me with a different means to introspect
security and receive security information. This would place
additional burden on the cloud consumer to resolve disparate
procedures (e.g. APIs) for extracting data and then different tools/
applications for disseminating and creating views to have any
meaningful security assessment. Now compound that with the notion
that a resource request or transaction could span multiple clouds.
How do you correlate the effectiveness of all the security controls
and related security information for that transaction to prove a
certain standard is maintained?
These are all issues that can be highlighted in use cases going
forward with V3. It may be important however, before jumping at
responding to use cases to define how to analyze security by using a
framework/controls approach that eventually could be linked to
concrete compliance standards.
These are the issues that govern my thoughts lately (no pun
intended). Do any of these or similar issues resonate with others
here? If anyone else has pursued audit and compliance in cloud, does
this approach help us form use cases that we can weigh against a
security framework/control structure?
network, computational and storage resources they could not easily or
cost effectively acquire on their own. Each will have different
expectations and requirements for security based upon how they intend
to use those resources and what value they assign to the data and
workloads they intend to trust to the cloud.
I would say that every cloud deployment model (i.e. private, public,
hybrid, community, etc.) needs to have a security framework in place,
broken down into different aspects of security (often called controls
such as Identity/Access Control or Data Security) that can be
referenced internally (by the cloud provider) and externally (by the
cloud consumer). This framework of security controls is a common
concept and is seen as a repeated theme for various IT Security
Management compliance standards (ISO 27001, SAS 70, etc.). It is fair
for a cloud provider, regardless of their deployment model, to detail
very specific (manual or automated) security processes and control
implementations to achieve their business goals. It is equally fair
for them to decide not to support one security control or another as
long as its a conscious decision that their customers can be satisfied
with (i.e. that it is an understood and accepted risk which will not
adversely impact one's business).
If a cloud provider ever intends to be entrusted with workloads that
meet government or industry compliance standards, it is critical that
(at a minimum) they be able to show how their security framework,
controls and flows map to and meet those defined in those compliance
standards AND ALSO prove their processes and implementations are
effective.
Of course, security comes with a cost. The problem for the cloud
provider is to balance security with cost, based upon their customer
requirements and expectations to provide a baseline for security.
However, if the provider is capable they can choose to offer
additional security features, controls as "add on" services that can
in turn be offered for a fee to customers who require that "extra"
level of protection.
As many point out, cloud IT Security Management and many of the
security areas/controls are not new. However, what is different is
that the cloud consumer is giving up direct control of how security is
implemented. This means that in order to offer a similar comfort and
confidence in the cloud provider's security framework there has to be
a means to provide transparency into the actual security controls and
their implementations to the cloud consumer. This transparency
extends to various aspects of security information as well (e.g.
access logs, incident reports, threat and risk assessments, platform
updates, change management notifications, etc.).
But perhaps simply having transparency is not enough... How do you
take advantage of multiple cloud providers (and deployment models) at
the same time if each provides me with a different means to introspect
security and receive security information. This would place
additional burden on the cloud consumer to resolve disparate
procedures (e.g. APIs) for extracting data and then different tools/
applications for disseminating and creating views to have any
meaningful security assessment. Now compound that with the notion
that a resource request or transaction could span multiple clouds.
How do you correlate the effectiveness of all the security controls
and related security information for that transaction to prove a
certain standard is maintained?
These are all issues that can be highlighted in use cases going
forward with V3. It may be important however, before jumping at
responding to use cases to define how to analyze security by using a
framework/controls approach that eventually could be linked to
concrete compliance standards.
These are the issues that govern my thoughts lately (no pun
intended). Do any of these or similar issues resonate with others
here? If anyone else has pursued audit and compliance in cloud, does
this approach help us form use cases that we can weigh against a
security framework/control structure?
Message has been deleted
Matt Rutkowski
Nov 19, 2009, 10:31:34 AM11/19/09
to Cloud Computing Use Cases
Matt Rutkowski
Nov 20, 2009, 10:19:58 AM11/20/09
to Cloud Computing Use Cases
Thanks Dave for copying my post into the forum when Google Groups was
having (and may still be having) issues on moderated forums. I see my
original finally appeared below the one you copied from my email to
you.
-Matt Rutkowski
having (and may still be having) issues on moderated forums. I see my
original finally appeared below the one you copied from my email to
you.
-Matt Rutkowski
drus...@ca.ibm.com
Nov 20, 2009, 11:21:08 AM11/20/09
to Cloud Computing Use Cases
NOTE: Because of the problems with the inability to post to the Google
Groups for the past several days, I did the post on behalf of Matt
Rutkowski. When responding to this topic, please direct your answers /
questions to Matt and he will be pleased to respond..
Thanks
Dave
Groups for the past several days, I did the post on behalf of Matt
Rutkowski. When responding to this topic, please direct your answers /
questions to Matt and he will be pleased to respond..
Thanks
Dave
Reply all
Reply to author
Forward
0 new messages