Finally, the cloud forces organizations to reexamine their methods for evaluating IT solutions providers and to revise their models for establishing trust and consequences. Because parts of their IT infrastructure will now be owned and operated by third-parties, security leaders must be able to ensure those vendors are adequately prepared to secure not just the physical support, but also the virtual one.
Organizations must have the ability to safeguard proprietary information on virtual servers and storage while giving cloud administrators the access and privileges needed to do their jobs. Organizations must also have transparency into cloud providers’ performance against agreed-upon security and business protocols. Specifically, organizations should acknowledge that they can retain control over IT policies and assets, even if they don’t own or directly operate those assets. By maintaining control over policy-setting, the attendant risks of working in the cloud aren’t necessarily higher; they’re just different.
Policy-setting in the cloud usually involves establishing trust relationships between organizations. Trust relationships form the conceptual foundations for cloud security.
Establishing Cloud Relationships: Deciding Who to Trust
cloud security is not so much a technology issue as it is a trust issue. Much (though not all) of the technologies, services, methodologies and know-how needed to secure the cloud already exist and need to be extended from the enterprise into the darkness. What’s required in order to make cloud computing a truly ubiquitous services platform is a higher degree of trust, particularly between the owner-providers of cloud resources and the companies that use those resources.
Differences Between Private and Public Clouds
Private clouds describe an IT infrastructure in which virtualized servers, storage, networks and applications are administered for the sole benefit of an organization or enterprise. The organization or enterprise needn’t physically own or operate the IT assets that form its private cloud.
Some assets can be outsourced or leased from cloud providers — for instance, computing capacity leased from an outside data center. Nevertheless, the organization still effectively “owns” its private cloud by controlling and setting policies governing how virtual IT assets are operated, with cloud vendors guaranteeing specific levels of service and conformance to agreed-upon standards for information access, security and compliance. If all the
IT assets of a privately run cloud are physically owned and operated by the organization itself, the cloud is sometimes referred to as an “internal cloud.”
Public clouds refer to similar virtualized IT infrastructure and services, except policies are not defined and enforced by the enterprise. Although organizations or enterprises may use a public cloud for private business benefit, they don’t control how the cloud is operated, accessed or secured. Popular examples of public clouds include Amazon’s Elastic Compute Cloud (EC2), Google Apps and Salesforce.com.
There are many companies providing services through private and public clouds. (See “Differences Between Private and Public Clouds” above.) Each has its own requirements and processes for authenticating and authorizing users. As these services connect and share information with each other, each service provider must be sure that it knows the degree to which it can trust the clouds, services and users — whether human or machine — with which it transacts. The services provider may have the best information security system in the world, but its efforts are useless if it’s granting peerlevel access to cloud partners with less stringent security standards.