cloud, Cyber Security, News
by Irfan

Security considerations while migrating business applications to cloud infrastructure


Cloud Computing has emerged as an effective alternative to organization-based information systems. In the traditional approach, companies invested in the hardware and software and created their own Information Systems departments. Over a decade, this technology has matured quite a bit and many new cloud service providers have emerged. Among these cloud service providers the leaders are Amazon, Google, Microsoft, Rackspace, and Salesforce (See related post – NextGen Data Center and Security Strategies)

Cloud adoption lifecycle

As with any emerging technology, organizations actively seek knowledge, insights, and best practices for how to begin their cloud computing initiatives. Organizations want to know how to prepare for their own cloud journey and how to avoid the risks and potholes associated with the early adopter stages of this emerging technology. Organizations must review the Cloud Adoption Lifecycle Model presented below

cloud lifecycle

Organizational Control Related to Cloud

Cloud Computing is widely considered as the next big thing in IT evolution, and is getting rapid adoption in the industry. The Cloud Service Providers (CSP), Cloud Service Vendors (CSV) and Cloud Service Users (CSU) are facing real time problems and still they are trying to come out from the issues. (See related posts – Security considerations for SDN/NFV) The main concern in cloud computing is of security and the security issues in cloud computing remain the only obstacle that may prevent its widespread adoption. As more and more data is being migrated to the cloud, there have been more attacks, such as Denial of Service and Authentication attacks

Key Considerations

Security – like other aspects of data protection – is not something that should be added on as an afterthought. Security should be built into an organization’s strategy and become part of how the organization does business in every respect. Moving to the cloud does not solve the problem if an organization’s existing security architecture and infrastructure is not up to standard; it just adds another element that must be addressed. Below are the checklists that an organization can evaluate before taking decisions correct

  • Before embarking on a cloud computing development ensure that your organisation’s information (and especially IT) security framework is sound, and that responsibility for information security is clearly allocated.
  • Ensure that your organisation’s approach to data protection compliance is well thought out, and that responsibility is clearly allocated.
  • Before selecting a cloud provider, consider whether your data needs to be retained in the European Economic Area, and if so, make this a key selection criterion.
  • For all cloud providers under consideration, check the contract (or standard terms and conditions) very carefully, especially for:
    • ownership of the data
    • security undertakings, and certified security standards
    • location of data (UK?, EEA?, etc.), and whether you have any control over this
    • any mention of liability the provider accepts or excludes
    • any mention of whether the provider uses subcontractors
    • arrangements for you to make your own backups, in addition to those made automatically by the provider
    • how you obtain access to your data in the case of wanting to change provider
    • what happens to your data if the provider (or one of its subcontractors) goes out of business, or if you get into a dispute with the provider
    • any provision for the supplier to use your data for its own purposes
    • Mechanisms by which you can verify, for example, where the data is held.
  • Verify any claims made by the providers for compliance with, for example:
    • ISO27001
    • Safe Harbor, in the case of a US-based company.
  • It is impossible to eliminate all risks. Assess the risks and prepare a risk assessment so that the appropriate people in your organization can make an informed decision.
  • Ensure that any contractors assisting in setting up the cloud application are given clear instructions about the security measures they should be implementing.
  • Once the cloud service is in place, consider commissioning external testing to ensure that it has been configured correctly and is not vulnerable to any of the well-documented security threats.
  • Ensure that access to the cloud application and the data it holds is adequately controlled, especially if it may be accessed by users working at home, or on their own devices.
  • Provide adequate training and guidance for all users, so that they know both how to use the system, and how to ensure that personal data placed in it is appropriately handled.

References

  1. Security, Trust, and Regulatory Aspects of Cloud Computing in Business Environments – ISBN:9781466657885 by S. Srinivasan
  2. Handbook of Research on Security Considerations in Cloud Computing – ISBN:9781466683877 by Kashif Munir, Mubarak S. Al-Mutairi and Lawan A. Mohammed
  3. CSA Guide to Cloud Computing: Implementing Cloud Privacy and Security – ISBN:9780124201255 by Raj Samani, Brian Honan and Jim Reavis
  4. The Cloud Security Ecosystem: Technical, Legal, Business and Management Issues – ISBN:9780128015957 by Ryan Ko and Kim-Kwang Raymond Choo
  5. Developing and Securing the Cloud – ISBN:9781439862919 by Bhavani Thuraisingham
  6. Executive’s Guide to Cloud Computing – ISBN:9780470521724 by Eric A. Marks and Bob Lozano
  7. Above the Clouds: Best Practices in Creating a Sustainable Computing Infrastructure to Achieve Business Value and Growth – EMC – by Paul Brant