Fathoming the cloud

Silver Linings

Addressing the A in A-I-C

One area almost all security standards address inadequately, if at all, is the first component of the A-I-C triad (availability, integrity, confidentiality). In the PCI DSS version 2.0 standard [4], the word "availability" doesn't even occur in the document; it focuses pretty much entirely on the confidentiality and integrity requirements. Traditional availability hasn't really been addressed by the security side of operations; instead, this is usually left to the server and network admins, at least until an attack takes the site down, in which case the security guys will get involved.

Having given up physical control of assets that hold and process your data, it is critical to ensure the availability of your systems. And by this, I mean going beyond just ensuring that the systems are running; you also need to be sure that you can get your data out of their system in a usable format. It's important to remember that simply having a database dump and all your files will probably not be good enough (e.g., even if your provider is using software that is also available to you, configuration issues could occur). This is an area extensively covered by the CSA in Domain 6 "Portability an Interoperability" [5] of their Security Guidance for Critical Areas of Focus in Cloud Computing.

Security as a Service (SecaaS)

SecaaS is by far the most popular working group of the CSA for the simple reason that this is where most of the money will be. Security as a service has some potentially huge benefits: Large providers can hire expertise that smaller businesses simply cannot afford, run 24/7 operations, and ideally do things cheaper than you can. The accounting people are also excited. Anytime capital expenditures, like buying servers and firewalls, can be traded for operational expenditures, chances are they'll jump at it. The tax benefits are often worth it, and it makes the shareholders happy, assuming you get the same level of service, which is where the problem often lies.

Giving Users a Voice

One problem with standards is that the people with a vested interest (such as vendors) tend to be the most vocal and active because they stand to make a lot of money. The majority of users will typically not make a huge effort to be heard, resulting in standards that are vendor driven and sometimes quite useless. One aspect of the CSA is organizing users and giving them a voice. At last count, the LinkedIn group had almost 18,000 users. Through polls (e.g., the SecaaS Categories of Security Services) and by simply allowing users to raise issues, on hopes the concerns of all will be addressed.

Buy ADMIN Magazine

Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • Securing Your Data In The Cloud: an insiders perspective

    As the increasing use of cloud computing and other technologies is changing the world of data management, keeping your data private and secure is an ongoing concern for everyone. Memset, a cloud computing Infrastructure as a Service (IaaS) provider gives an insider’s perspective on what you should be doing to keep your data safe.

  • Delivering Cloud Services: Five Essentials for Success

    You can meet the challenges of delivering cloud services successfully and profitably, if you have the right identity management capabilities. This paper outlines the five infrastructure essentials for successfully delivering cloud services to a rapidly growing customer base. You'll learn how these essentials can benefit both you, the cloud services provider, and your customer, the cloud services consumer – to your ultimate economic benefit. Plus, we'll outline why traditional identity management infrastructures fall short, and how a new approach is the key to building the essentials into your business.

  • Getting started with the OpenStack cloud computing framework
    OpenStack brings common virtualization technologies such as KVM, Xen, Hyper-V, and QEMU into the cloud.
  • Can you trust the cloud?

    Everything you need to know about cloud security.

  • Setting up an OpenNebula Cloud
    The OpenNebula cloud middleware system is one of the easiest private clouds in the sky. We'll show you how to get started.
comments powered by Disqus