Is cloud computing secure?
Posted on 1 Nov 2010 at 08:00
In the latest of our cloud computing exploration features, we look at the issue of security
With more and more data and applications heading to the cloud, leaving the familiar data centre for the fresh field of hosted online data centres, it's time to think hard about security issues.
Can hosted, multi-tenant services ever be as secure as your own server?
This isn't a new problem. Far from it. It's actually one the industry keeps coming back to. First it was data processed by time-sharing systems at a data processing bureau, and then it was outsourcing, and most recently off-shoring. Data leaks and breaches in the news focus attention from legislators, and regulations are put in place to try and manage things – but regulations are never enough. It's what you do that protects your data.
There are three basic models for cloud services, and how you treat security is going to differ as a result of the cloud services you choose:
• Infrastructure as a Service (IaaS): a service like that provided by Amazon Web Service, where they provide an infrastructure, leaving you to deploy your own virtual servers.
• Platform as a Service (PaaS): a service like that provided by Microsoft Azure, where you run your applications on the service's operating system, using its storage infrastructure.
•Software as a Service (SaaS): a service like that provided by Salesforce.com, where you store your data in the services databases, and use its software to process the information.
If you're using an IaaS provider, then you're going to need to treat your virtual machines much like any cluster of virtual machines in a data centre. The service provider is providing the network infrastructure (and the network security tools), and you're going to need to secure your virtual servers. You can use familiar tools and techniques, but it does mean that you're going to have to treat security as a full time IT task.
PaaS is a more complex beast to secure effectively, as you're reliant on the security features of the service operating system. You're only working with applications and data, and you need to ensure that you only rely on the security you build into your applications.
That does take some of the load off your IT team, though, as you're handing over both infrastructure and OS security to your cloud service provider.
SaaS is both the simplest and the hardest to deal with. It's simple, in that all your security needs are taken care of by the service provider. It's also the hardest, because that means you need to trust your SaaS vendor – or at least ensure that you have a legally binding agreement which includes security provisions. You'll need to be sure that you're complying with the appropriate regulations, and that you've got a secure connection to your provider's applications – using more than just simple passwords!
Getting that trust right is important to Salesforce.com, according to Tim Barker, the company's vice president of marketing in Europe, the Middle East and Africa (EMEA).
He describes it as a "consistent focus," adding "We started building with security in mind, to be a service that users trust".
But it's not good enough to be trusted for what you say, and that trust needs to be verified. "We work to ISO 27001 standards, with third party accreditation, and we're also evaluated by prospective customers who send in their own security people. So we're probably more regularly reviewed than any other vendor, right down to code reviews," Barker added.
Mike Lingo, chief technology officer at Astadia, echoes the need for an audit of cloud services as part of ensuring compliance. "Customers need to assert that their vendors are compliant with best practices for processing in their environment by reviewing things like SAS 70 compliance, which is obviously the standard vendors will work towards," he said.
"Further, you'll want to know for mission-critical or system-critical apps that a Type II audit was performed."
That actually adds up to a security advantage for cloud services, as Lingo points out that "a well-established vendor's cloud solution has probably had much much more money spent on its infrastructure, security and competencies than an internal IT shop can often afford".
Micrsoft Office 365 security
All the points sited are spot on. See this video about Microsoft 365 security. SAS II 70 audits yearly and ISO 27001.
By Techquarters on 23 Jul 2011
For more details about purchasing this feature and/or images for editorial usage, please contact Jasmine Samra on firstname.lastname@example.org
- What is Google Inbox?
- How to get the Windows 10 Technical Preview, plus release date, features and latest news
- Nexus 6 release date, specs and price: when will the Nexus 6 go on sale in the UK?
- Lenovo and Ashton Kutcher launch Yoga Tablet 2 Pro, Yoga Tablet 2 and Yoga 3 Pro
- Lenovo Yoga event live stream: watch Ashton Kutcher's tablet launch live
- HTC shows off Desire Eye selfie phone and periscope-like camera
- Xim: the slideshow app to get excited about
- Adobe has more apps for iOS, but none for Android
- How to download and install Windows 10 Technical Preview
- iPhone 6 Plus "less likely to bend than HTC One"
- Google Glass: mugger bait, pub problem and other lessons learned from two dangerous weeks
- Twitter, please don't fiddle with my feed
- How Satya Nadella can get some pay-raise karma
- Windows 10: a step back to go forward
- Michael Dell: Cloud infrastructure is the roads, bridges and highways of the 21st century
- How to check your identity hasn’t been sold to the hackers
- Tim Cook: this is how much TV has changed since the 70s
- Westminster wins the .London battle
- 20 years of PC Pro: from deep pan pizza to virtualisation
- Five reasons why the Apple Watch leaves me cold