Enterprises want and need greater transparency and assurance from cloud computing providers. An organization needs to know where its data is stored, how it is managed, and who has access to it while it is in a third-party cloud provider’s environment. And the organization needs the reassurance that if or when it switches cloud providers, no data is left behind. The industry needs to continue to work on providing cloud computing customers with the ability to track and monitor data when using cloud computing, which will help ensure against data loss.
As a provider who has been serving the needs of enterprise IT for more than 10 years, we address the vast majority of our clients’ key security demands and have evolved our practices over time to keep pace with constantly changing security requirements. One area in cloud security that can create confusion for clients is the vast array of potential security standards that a cloud vendor could choose to adopt. SAS 70, PCI, SSAE 16, International Standards Organization (ISO) 27001 and 27002, and FISMA are just a few. There are groups like the Cloud Security Alliance (CSA) forming to attempt to organize the disparate set of rules into a cloud-specific standard. Until there is a widely accepted security standard, clients and vendors will continue to have to choose from the variety available today.
Absolutely. There is no silver bullet in security, and it is not an easy problem to solve. Ultimately, cloud infrastructure providers must architect their solutions to provide the visibility and transparency that large enterprises need as they move more computing resources and applications to the cloud. All of us need to work on a continuous improvement in security posture to protect our data, independent of where that data happens to be hosted or is physically found at the time it is accessed.
Full demonstration of data life-cycle management is a challenge for all providers, cloud based or not. Once an enterprise’s data is in the hands of a service provider, demonstrating or proving that the data has not been accessed by any outside parties, that backups are in a secure location, and that all data is erased or unrecoverable upon deletion is difficult. Encryption of all data at rest is a possible solution, but the impact on overall system performance can be significant. Only recently have technologies such as Intel AES-NI (in the CPU) come to market to alleviate performance concerns. Additionally, enabling the customer to be the only holder of the private key to unlock their data is nearly impossible while also managing the infrastructure demands of other customers. In addition, as we expand our closely held federated cloud into a more open, diverse environment, there are several key security areas that we will need to address, such as software integrity, data encryption in motion, and transference of application authentication.
34 Intel IT Center Vendor Round Table | Cloud Security