Traditional on-premises IT has evolved into a hybrid model that now includes both public and private clouds in the ecosystem. Adding to the cloud dimension presents new security risks that make it even more important to adopt a cohesive and holistic security policy.
This is the first in a two-part blog on the security risks involved in cloud computing. Thoroughly understanding and mitigating these risks is fundamental to realizing the full benefits of the cloud. This first post focuses on the different types of security risks. The second will discuss the solutions and expertise required to ensure cloud security.
Cloud-based security risks can be grouped into one of four categories:
1. Cloud services (infrastructure, applications, hosted code)
This category encompasses the cloud services themselves and any application or middleware that has been deployed. Security concerns around software or middleware vulnerabilities, viruses and external threats fall into this category. The concerns here are further intensified, given that public cloud services typically exist within multi-tenant environments where cloud services for multiple clients are logically isolated but served from the same physical servers and data centers.
Data-specific concerns are particularly prevalent within public cloud or private cloud environments. These concerns include data integrity, data lock-in, data remanence and provenance, data confidentiality and user privacy.
There also are concerns around data sovereignty—the concept that data is subject to the laws of the country in which it is located. Depending on the specific countries in which an organization operates, there may be a need to keep certain types of data within a defined geographic boundary, likely resulting in geographical restrictions on the cloud services that can be used.
Further, the impact of the U.S. Patriot Act must be considered as it affects U.S.-based corporations as well as their wholly-owned subsidiaries based within and outside of the European Union.
This category comprises concerns around cloud access—authentication, authorization and access control or AAA—as well as encrypted data communication and user identity management. Secure, definitive and efficient on-boarding and off-boarding become more challenging as organizations adopt cloud services from multiple service providers.
Due to the size and disruptive influence of cloud computing, it is attracting attention from regulatory agencies, especially with respect to issues related to security audits and data location, as well as operation trace-ability and compliance. Challenges exist in determining whether cloud service providers are compliant with applicable regulations, which might exist outside of the cloud service provider’s own legal jurisdiction.
Identifying and understanding these risks is the first step to addressing them. A cloud security expert is a vital resource to ensure an organization has a thorough picture of these risks and a roadmap for mitigating them. CGI's managed cloud security and advisory services help clients across many industries improve their hybrid IT and cloud security postures more effectively and at lower cost than doing it themselves.
In my next blog post, I will discuss the solutions and expertise required to ensure cloud security. In the meantime, feel free to contact me with any questions on this important topic.