Discussion on Information Assurance topics, sharing approaches, best practices, new ideas, and events.
Information Security and “the cloud”
July 17, 2009 at 7:38 pm #76011
Data Security in the Clouds
By Jeff Erlichman, 1105 Government Information Group Custom Media.
A Trusted Cloud is absolutely necessary to meet all Federal security requirements and to instill confidence in the confidentiality, integrity and availability of Cloud services and associated data.
You have security concerns – and rightly so.
When your applications are run from the Cloud; when your data is stored in the Cloud; and when you don’t know who else is sharing the same Cloud resources as you, it can make you a little skittish – perhaps even reluctant to even consider Cloud Computing for your organization. You may think you are giving up control and perhaps security over your data.
While some sensitive data will never move to the Cloud, for some information – especially if it faces the public – you are going to just have to get over it.
CTO of the Federal Cloud Patrick Stingley put it this way: “When when the guy running the largest organization in the planet is behind Cloud Computing, that’s it.”
Cloud Advantage or Disadvantage
NIST’s Peter Mell explained that there are some security advantages to Cloud. By shifting public data to an external Cloud, you reduce the exposure of the internal sensitive data and Cloud homogeneity makes security auditing/testing simpler. He also said Cloud enables automated security management and provides redundancy and Disaster Recovery advantages.
On the other hand Mell said security challenges revolve around trusting vendor’s security model; the customer inability to respond to audit findings; how to obtain support for investigations; indirect administrator accountability; proprietary implementations can’t be examined; and of course the “biggie” – loss of physical control.
So, what are you to do? “In the public Clouds people tend to have no control over who touches or who sees their data,” CSC CTO Yogesh Khanna told the Cloud Summit, “and those things inherently build some angst, some anxiety among the CIOs in the federal community.”
Khanna said on the other extreme are the private Clouds (which the purists will tell you is an oxymoron because there is no such thing as a private Cloud) where you own all the assets and you control exactly where your data resides. But since everything’s behind your firewall, you don’t really get the economies of scale that Clouds are supposed to bring to the table. But you get all the appropriate securities.
What Khanna is proposing is a middle ground which he defines as “Trusted Clouds” which are really Clouds for a community where that community of users could be defined by whoever is delivering those services.
Digital trust is completed with evidence-based confidence that systems operate as advertised, and that no unadvertised functions are occurring and that digital trust depends not only on security features but also on the ability to deliver evidence about feature operation with full transparency of control and result.
Khanna defined trust as the assured reliance by one party on the future behavior of another party. “Technology is indeed the source of digital trust, however the features and functions performed in the name of “security” for transactions and data are just the beginnings of digital trust,” explained Khanna.
He told the audience digital trust is completed with evidence-based confidence that systems operate as advertised, and that no unadvertised functions are occurring and that digital trust depends not only on security features but also on the ability to deliver evidence about feature operation with full transparency of control and result.
So to be safe in the Cloud you need to be part of Trusted Clouds. Khanna said “a Cloud that harmonizes the security for transactions and data with comprehensive transparency of control and result such that it conveys evidence-based confidence that systems within its environment operate as advertised, and that no unadvertised functions are occurring is a Trusted Cloud. Services rendered via a Trusted Cloud are ‘Trusted Cloud Services’.”
“A Trusted Cloud is not only possible,” exclaimed Khanna, “but absolutely necessary to meet all the Federal Government requirements and to instill confidence in the confidentiality, integrity and availability of Cloud services and associated data.”
You must be logged in to reply to this topic.