Cloud computing continues to grow into every corner of the enterprise. Our Ann All reports on the growing trend to view the cloud not only as a platform for delivering computing power and encapsulated applications, but also as a way to deliver entire business processes as a service.
Regardless of how you employ the cloud - and you will, if you haven't already - security will be a key focus, as it is with every other enterprise technology. Our partners at the National Institutes of Standards and Technology have prepared a detailed report and corresponding presentation that covers the broad scope of security issues relating to the cloud. Both of these resources are available free to IT Business Edge members here in the IT Downloads library.
Guidelines on Security and Privacy in Public Cloud Computing is a 60-page NIST special report that digs into specific cloud delivery models; at some point you actually will need to know the minute differences between platform-as-a-service and infrastructure-as-a-service offerings, which are discussed in the image below.
Other topics discussed in the report include:
The differences between negotiable and non-negotiable service-level agreements. Very large cloud providers are not in the market to tailor their SLAs on a per-client basis; it erodes their economies of scale. If you have very specific concerns about security (e.g., a regulatory program like Sarbox to which you are subject), you probably need to look for a provider who is already certified for that standard, or be prepared to pay noticeably more for the level of service you require.
Cloud providers actually have security specialists on staff. Any time data moves across the public Internet there are risks, but the report does note that with the large scale of cloud distribution comes the capacity for staff specialization in critical areas like security. SMB dev shops tend not to have that luxury.
Data concentration. By its very nature, the cloud addresses a key concern for many organizations: what to do with all that data stored on all those mobile devices. Cloud apps aren't big on localizing data.
Emerging attack vectors. Not everything is rosy with the cloud, of course. Sophisticated network probing can actually identify service patterns within cloud infrastructures, and multi-tenancy and seamless resource sharing has spawned highly complex software. With complexity comes risk.
You will want to take the Effectively Using and Securing the Cloud Computing Paradigm PowerPoint Presentation with you to your next executive management team meeting. It's 92 slides-worth of fairly deep detail and case-study info. One of the main goals laid out by NIST in the presentation is the "fungible" cloud, in which services can be readily substituted for each other and providers rely on federated security services.