Cloud evolution can be considered synonymous to banking system. In good old days, people used to keep all the valuable assets (money, precious metals, stones etc.) in their personal possessions and even in underground lockers. They could not trust the bank for depositing their hard-earned money. Banking system evolved over the period of time and it took them almost half a century to build that trust. Regulators all across the world played big role in creating a trusted legal and secured framework for banking and other financial services. Today, we hardly keep any cash; most of us carry plastic money and transact digitally.
Cloud computing is also evolving the same way.
Robust cloud architecture with strong security implementation at all layers in the stack powered with legal compliances and government protection is the key to cloud security. As Banks are doing business despite frauds, thefts and malpractices, cloud security is going to evolve, but at much faster rate. Digital world has zero tolerance for waiting! Evolution is natural and is bound to happen.
So what are the steps typically a cloud service provider should follow in order to secure his cloud?
Cloud is complex and hence security measures are not simple too. Cloud needs to be secured at all layers in its stack. These levels are:
At infrastructure level:
A sysadmin of the cloud provider can attack the systems since he/she has got all the admin rights. With root privileges at each machine, the sysadmin can install or execute all sorts of software to perform an attack. Furthermore, with physical access to the machine, a sysadmin can perform more sophisticated attacks like cold boot attacks and even tamper with the hardware.
At platform level:
Security model at this level relies more on the provider to maintain data integrity and availability. Platform must take care of mentioned security aspects: integrity, confidentiality, authentication, defense against intrusion and DDoS attack and SLA.
At application level:
The following key security elements should be carefully considered as an integral part of the SaaS application development and deployment process:
1. SaaS deployment model
2. Data security
3. Network security
4. Regulatory compliance
5. Data segregation
7. Backup/Recovery Procedure
8. Identity management and sign-on process
Most of the above are provided by PaaS and hence optimal utilization of PaaS in modeling SaaS is very important.
Some of the steps which can be taken to make SaaS secured are: secure product engineering, secure deployments, governance and regulatory compliance audits and third-party SaaS security assessment.
At data level:
Apart from securing data from corruption and losses by implementing data protection mechanism at infrastructure level, one needs to also make sure that sensitive data is encrypted during transit and at rest.
Apart from all the above measures, stringent security process implementation should also be part of making cloud secure coupled with periodic audits. Governing security laws should be amended with advent in technologies, ethical hacking and vulnerability testing should be performed to make sure the cloud is secure across all layers.
Satish Agrawal is Vice President – Cloud Computing at e-Zest Solutions Ltd. He has over 16 years of experience in IT and software product engineering space and has built and implemented end-to-end cloud solutions for clients across geographies
To read this article online, click here.
Membership in the Trusted Computing Group is your key to participating with fellow industry stakeholders in the quest to develop and promote trusted computing technologies.
Standards-based Trusted Computing technologies developed by TCG members now are deployed in enterprise systems, storage systems, networks, embedded systems, and mobile devices and can help secure cloud computing and virtualized systems.
Trusted Computing Group announced that its TPM 2.0 (Trusted Platform Module) Library Specification was approved as a formal international standard under ISO/IEC (the International Organization for Standardization and the International Electrotechnical Commission). TCG has 90+ specifications and guidance documents to help build a trusted computing environment.