We have seen a definite trend over the last few years of businesses moving their data and services to the cloud. A number of cloud computing service providers have sprung up and the sector has seen explosive growth. As with most new technologies, opinions are divided on the merits of cloud computing. Some analysts see it as the greatest thing since sliced bread and predict an irreversible shift towards cloud computing.
They find an analogy in the electrical power grid, computing becomes a utility like electrical power. Others compare cloud computing to collocation and time sharing computing schemes. They foresee that the pendulum will swing back and cloud computing will fall out of fashion sooner rather than later.
The most likely outcome is of course not as black and white as some people like to see it. The old time sharing computing and software as a service (SaaS) providers were limited in their reach. Now the cloud is the Internet, and the Internet is everywhere. Service providers can therefore conduct business globally with little technical effort. Cloud computing is not the solution or even a viable solution for every company out there. Open source software evangelist Richard Stallman has called cloud computing a "trap", adding that individuals and businesses should not trust remote service providers with their valuable data. Although these comments are rather extreme, Mr. Stallman has a valid point regarding information security and the cloud. Trusting the cloud with data and services brings with it a new set of risks to consider. Mr. Stallman obviously prefers to maintain full control of his data and software.
However, building and operating a data centre is not a viable solution for most companies. Smaller organizations which do business around the globe can benefit from services provided by the cloud. What they must realize is that cloud computing may mean delegation of security to the cloud operator. This delegation means additional risk which must be mitigated with appropriate controls. Examples of risk include downtime or cessation of operations by the cloud service provider and data storage failure in the cloud infrastructure. Examples of controls would include service level agreements (SLA) with service providers, specifying the acceptable downtime; redundant services with multiple service providers; and a local backup system for valuable data.
ENISA, the European Network and Information Security Agency, recently published a 125 page report on cloud computing risk assessment, detailing the many issues to consider before moving to the cloud. Another body concerned with cloud security is the Cloud Security Alliance. They have isssued the first version of a comprehensive security guidance that provides specifications of security benefits or challenges for all critical areas of cloud computing, divided into service models. The main service models are IaaS, SaaS and PaaS, which means Infrastructure-, Software- and Platform as a Service respectively. In IaaS the cloud provider takes on the least amount of security responsibility whereas in SaaS he takes on the greatest responsibility. In PaaS, this responsibility lies somewhere in the middle between the other extremes.
Companies and institutions should perform a risk assessment before a decision is made on the inclusion of sensitive information in the cloud. Various security controls can be implemented to reduce risk and ensure safety. Security is not necessarily depending on single control, it is rather the overall functionality of every implemented security control. This is why Stiki has developed RM Studio, an innovative software solution based on international standards which helps companies to do gap analysis and risk assessment which sharpen their competitive edge.
No comments:
Post a Comment