5 Overview of Cloud Standards |
81 |
brokering/management vendors (such as RightScale, CloudKick and CloudSwitch) whose tools interoperate across cloud environments to provide management capabilities through a single interface. They eventually, as predicted by Gartner [18], could provide lot of additional services by building an abstraction layer across the clouds. Some of them are a part of the standard bodies driving these standards.
5.2.4 Gaps/Areas of Improvement
The mature initiatives are focused towards the infrastructure layer. The scenarios discussed earlier, such as:
1.Interoperability/integration between cloud delivery models (SaaS, PaaS and IaaS) is not addressed. Except for Unified Cloud Interface and Cloudware Arch, the rest primarily focus on the Infrastructure layer (IaaS).
2.Standards for interaction between private and public clouds are also not addressed. One such scenario is the usage of hybrid cloud.
Various vendors such as Amazon and other cloud brokers seem to have the required technology, but have to contribute by participating in the standardisation initiatives.
5.3 Deep Dive: Security Standards
Some of the scenarios of security that Nimbus would encounter, having adopted cloud computing, would be:
––Availability/Reliability – Amazon Web Services or Force.com could have outages that render Nimbus’ marketing application unusable
––Data isolation/multi-tenancy – cloud providers, especially the SaaS vendors, enable multi-tenancy in their environment. This could lead to data isolation issues unless secured with proper access controls. Nimbus could have its data exposed to another client of Birst if the right controls are not in place.
––Data ownership – ideally Nimbus should own the data even if it resides with the cloud provider. However, the cloud provider also has access and could take ownership of some of the derived data such as platform usage patterns. This needs to be clarified between the parties.
––Trust – the relationship between Nimbus and the cloud provider runs on trust. Nimbus could have performed audits or been shown audit reports of, say, Amazon’s environment, but it is a matter of trust to believe what has been shown is indeed active on Nimbus environment or its data are not misused by the provider’s employees.
There are many more aspects of security such as service levels on data usage, data privacy, compliance, etc., that a cloud user would encounter. Are the reasons behind these unique challenges understood?
82 |
A. Govindarajan and Lakshmanan |
5.3.1 Purpose, Expectations and Challenges
Cloud computing brings in certain security challenges not seen in typical on-prem- ise/enterprise infrastructure due to the nature of its model, such as:
•Distributed model – the data and services are spread across multiple data centres and infrastructures causing concerns of availability, ownership and compliance.
•Shared model – the cloud works on sharing code bases/services and infrastructure for data and services across multiple clients causing concerns of data isolation.
•Access ubiquity – cloud services are web-based and can be accessed from anywhere by means of any client type – secure or non-secure – causing concerns of hacking.
The focus is thus to ensure that security controls are effective to address these challenges. Broadly, the expectation from the standard would be to address:
•Cloud Data Security ensuring
•Accountability (validating claim of identity by a user, user authentication and auditing of user actions)
•Authorisation (access control to allow or deny user access based on privilege and confidentiality to prevent information disclosure to unauthorised parties)
•Availability (data to be accessible whenever needed and with integrity)
•Cloud Service access security
•To avoid Domain Name System (DNS) security threats during service access (e.g. IP hijacking, changing the path to destination IP)
•To avoid Denial-of-Service(DoS) attacks on the cloud, impacting its availability
•Managing compliance due to issues such as data storage across geographies, etc. (this is extensively covered in the compliance section subsequently).
5.3.2 Initiatives – Focus, Sponsors and Status
Tables 5.3 and 5.4 show some of the key initiatives by industry bodies as well as by vendors towards security standards.
Table 5.3 Security – group initiatives
Standard name |
Group/body |
Focus |
Readiness |
|
|
|
|
Cloud Security |
Cloud Security |
To outline areas of security |
First version ready. |
Alliance |
Alliance [20] |
concern and guidance |
Ver 2 expected in |
Guidelines [19] |
|
for cloud providers to |
October 2009 |
|
|
improve security of their |
|
|
|
service offerings |
|