Secure Cloud Computing Guide focuses on the risks of cloud infrastructure for data, points what to look for your own website or business to be on secure Cloud. The number of cloud services is growing, users can now obtain a countless services on the Internet. Private cloud services are open to only a specific group of users, such as members of the same company and public cloud solutions is that, which be accessed by all over the Internet.
Three different Cloud Computing service models are in use, which are important in regards to Secure Cloud Computing :
- Infrastructure-as-a-Service (IaaS) provides infrastructure such as virtual machines or storage space.
- Platform-as-a-Service (PaaS) offers an execution and development environment.
- Software-as-a-Service (SaaS) is a software solution from the cloud provider, for example, to be used via the web browser. The main example for SaaS offerings are the office suites.
One can read the detailed article on Cloud Computing Service Models here.
Secure Cloud Computing Guide : Threats
Understanding the threats are an important part to implement Secure Cloud Computing on your own sector. Cloud services are exposed to the internet to numerous attacks and threats. They are publicly accessible and most operates on Third their infrastructure, which has both security and risks. Cloud Security Alliance (CSA) has described their view regarding the dangers of the use of public cloud computing :
- Abuse and harmful use of cloud computing : Benefiting from the basic characteristics of cloud infrastructures like the quick and easy availability of new resources with a very good network connection, the use of cloud resources is quite interesting for the attackers, for example, denial of service (DoS) attacks can be started to get down.
- Insecure interfaces and APIs : Cloud services and the providers provides the management interfaces with public cloud via the Internet and so it is easy to attack. Moreover, there are application programming interfaces, which can be used by the users to control and configure the cloud services. Weaknesses in these interfaces might open gateways to obtain unauthorized access to the customer data.
- Malicious insiders : The software security measures are often ineffective if the attacker has the access to the infrastructure of the cloud provider. This is particularly the case with malicious insiders – i.e. employees of the cloud service providers who has the access to customer’s data.
- Risks through shared technologies : Another characteristic of cloud computing is the well known pooling of resources. This means that the physical resources of all users of cloud services are shared. It might cause problems with the absence of reliable physical separation of user data.
- Data loss and Compromise : Because the data is stored in the cloud and many users simultaneously use the same infrastructure, the special requirements exists for data security. Past problems with cloud providers show that it is also due to the technical problems for which data loss can occur.
- Theft of user accounts or cloud services : Enabling users to quickly and easily bing able to use the services, an attacker can get a customer account experience, he has the access under a false name, has the risk of resource misuse and to do damage.
- Unknown Risks : In order to estimate the risks of cloud services, users need to analyze the security of the provider where this risk analysis rather are known inadequately, because the cloud provider can not provide all the information you need, is a non-assessable risk.
Secure Cloud Computing Guide : Requirements
Important requirements for a Secure Cloud Computing infrastructure is a solid security architecture and a secure client separation at all layers of infrastructure (virtualization, network , platform, application, data). Furthermore, users should ensure that the cloud provider operates according to a defined process model for the management of IT processes. This includes patches, configuration management, system management and application management.
Another important selection criterion is the headquarters of the cloud provider. Many well-known providers operate from the United States and subject to its laws.
Secure Cloud Computing Guide : Secure Usage
The following measures should heed a user in advance or at the beginning of the use of cloud services who wants to enforce a Secure Cloud Computing :
- Level of protection of the data : During the data transfer to the cloud, the user should use their own data classification (security level “low” to “very high”), analyze their need for protection and to specify which data to a cloud provider must be stored and transferred. This may include, for example, the use of certain cryptographic methods or a comprehensive approach to the rights of access to certain information.
- Secure storage of data in the cloud : When storing the data, encryption plays a central role. Key management is a challenge for many users, a compromise of the key means a threat to data security.
- Secure transfer of data to the cloud : In addition to the secure, isolated data, secure transport of data from the customer plays role in the cloud and between the cloud data centers. Data should only be transmitted over encrypted channels and can be integrated, for example, via an encrypted virtual private network (VPN) into the existing IT infrastructure of the user. To secure management interfaces or use SaaS offerings via the web browser, only secure HTTPS connections are recommended.
- Secure data processing : As far for as data processing, it is particularly important to monitor all the requests and activities within the storage services and cloud applications, to detect the attack. Furthermore, portability and interoperability play an important role to the dangers of vendor lock-in because of unusual Export data formats. With standardized and open interfaces, protocols and open source platforms this secure data processing can be achieved.
- Secure access to the cloud services : Not only the data itself, but also the access to the cloud services and applications have to be protected. Encrypted transmission and a regular change of login ID and password combination are recommended. This should be made strong with two-factor authentication and access rights set individually. The different roles and rights should be reviewed periodically.
- Secure data archiving : Archive data encryption is advisable.
- Secure data deletion / destruction : The permanent deletion of data in the cloud is very important, no matter if this is required by statutory requirements or with the change of supplier. Since a user often does not have the access to the cloud provider’s reproached backup, it makes sense – if the service makes it possible – to save the data only in encrypted form. When deleting, then the associated key is destroyed and also the data decryption, thus virtually everything is excluded absolutely.
Secure Cloud Computing Guide : Conclusion
The benefits of cloud computing are numerous that includes scalability, elasticity, pay as you go model; but it does face some challenges that a user has to deal with.