Model
|
Security
issues
|
Cost issues
|
Control issues
|
Legal issues
|
Public
|
i) Least
secure ii)Multi- tenancy iii)Transfers over the net
|
Setup:
Highest Usage: lowest (pay for what you use)
|
Least
control
|
Jurisdiction
of storage
|
Private
|
Most
secure
|
i) Setup: High ii)New
operational processes are required
|
Most
control
|
--
|
Hybrid
|
Control
of security between Private and Public clouds
|
--
|
Least
control
|
Jurisdiction
of storage
|
Security Issues In PUBLIC CLOUD
Public clouds are hardened through continual hacking attempts.
1. Assessment of cloud service provider
Cloud service provider (CSP) should hold industry necessary certifications such as
the SAS 70 Type II.
2. Security of the communication channels
As data can be accessed from multiple devices like mobile, laptop or thin client all the communication should be protected using encryption and key management.
3. Transparency of security processes
Cloud service providers may not be able to explain their security processes for their own security reasons.
4. Compliance with regulations
- Payment Card Industry Data Security Standard (PCI DSS)
- Health Insurance Portability and Accountability Act (HIPAA)
- Sarbanes-Oxley Act (SOA)
- Proper implementation of the CIA triad (Confidentiality, Integrity, Assurance)
- Geographical borders - The location of the customer’s data is significant. To safe guard server failure Public Cloud service providers will typically implement strong data replication mechanisms. This means that the customer’s data might be distributed across the globe in various geographies. This would conflict with the customer’s need/requirements to keep their data within a specified border(Microsoft Corporation,2011
5. Potential of single security failure
During 2011 a new report from Privacy Rights Clearinghouse (PRC) says that companies must place on creating” straight privacy and security polices” as well as data holding polices. Also businesses could avoid “violates” simply by properly encrypting all sensitive information. Also we have to note that if encrypted data gets lost or stolen, it will not count ina data failure.
6. Data loss : cross-tenat data leakage
Weaknesses of shared network infrastructure
components, such as weaknesses in a DNS server, Dynamic
Host Configuration Protocol, and IP protocol weaknesses,
may be enabled network-based cross-tenant attacks in an IaaS
infrastructure.
Security Issues In PRIVATE CLOUD
Private Clouds have the same security concerns as public
Clouds. However, there are some specific security issues
towards this Private Cloud model.As per the social TechNet
articles the areas where IT decision makers have bear in mind
with implementation of private cloud, are legality, data
protection and compliance.
1. Security Control
The organizations those who are using private cloud infrastructure should need to ensure that effective control of the new environment. The private cloud management architecture should enable management to view security aspects of the environment and show the current threat levels to the organization. The control oversight is to be provided through a web based dashboard that translates the security issues into understandable languages.
2. Compliance
Organizations such as health and financial operations fall under the auspices range of agreement requirements and regulations. With international organization it is possible that moving to private cloud different set of regulations may be followed by different countries to access data.
The organizations those who are using private cloud infrastructure should need to ensure that effective control of the new environment. The private cloud management architecture should enable management to view security aspects of the environment and show the current threat levels to the organization. The control oversight is to be provided through a web based dashboard that translates the security issues into understandable languages.
2. Compliance
Organizations such as health and financial operations fall under the auspices range of agreement requirements and regulations. With international organization it is possible that moving to private cloud different set of regulations may be followed by different countries to access data.
Security Issues In HYBRID CLOUD
1. Absence of
data redundancy
Problems are inevitable for any cloud providers even though they took best efforts. Hybrid cloud is a complex system. That management has limited experience in managing and that creates great risk. Cloud architects need redundancy across data centers to moderate the impact of an outage in a single data center. A lack of redundancy can become a serious security risk in hybrid cloud, specifically if redundant copies of data are not distributed across data centers. It's easier to move virtual machine (VM) instances between data centers than between large data sets.
Cloud architects can implement redundancy using multiple data centers from a single provider or multiple public cloud providers or a hybrid cloud when you improve business continuity with a hybrid cloud, that shouldn't be the only reason to implement this model. You could save costs and attain similar levels of risk mitigation using multiple data centers from a single cloud provider.
2. Compliance
In a hybrid cloud maintaining and demonstrating compliance are more difficult. Not only you have to ensure that your public cloud provider and private cloud are in compliance, but you also must demonstrate that the means of coordination between the two clouds is compliant.
For example if your company works with payment card data, you may be able to demonstrate that both your internal systems and your cloud provider are compliant with the Payment Card Industry Data Security Standard (PCI DSS). You have to ensure that the data moving between two clouds is protected with the introduction of a hybrid cloud..
In addition to that you'll need to ensure that card data is not transferred from a compliant database on a private cloud to a less secure storage system in a public cloud. Also the methods you use to prevent a leak on an internal system may not directly translate to a public cloud.
Problems are inevitable for any cloud providers even though they took best efforts. Hybrid cloud is a complex system. That management has limited experience in managing and that creates great risk. Cloud architects need redundancy across data centers to moderate the impact of an outage in a single data center. A lack of redundancy can become a serious security risk in hybrid cloud, specifically if redundant copies of data are not distributed across data centers. It's easier to move virtual machine (VM) instances between data centers than between large data sets.
Cloud architects can implement redundancy using multiple data centers from a single provider or multiple public cloud providers or a hybrid cloud when you improve business continuity with a hybrid cloud, that shouldn't be the only reason to implement this model. You could save costs and attain similar levels of risk mitigation using multiple data centers from a single cloud provider.
2. Compliance
In a hybrid cloud maintaining and demonstrating compliance are more difficult. Not only you have to ensure that your public cloud provider and private cloud are in compliance, but you also must demonstrate that the means of coordination between the two clouds is compliant.
For example if your company works with payment card data, you may be able to demonstrate that both your internal systems and your cloud provider are compliant with the Payment Card Industry Data Security Standard (PCI DSS). You have to ensure that the data moving between two clouds is protected with the introduction of a hybrid cloud..
In addition to that you'll need to ensure that card data is not transferred from a compliant database on a private cloud to a less secure storage system in a public cloud. Also the methods you use to prevent a leak on an internal system may not directly translate to a public cloud.
3. Poorly
constructed SLAs
You have to be very confident that your public cloud provider can consistently meet expectations detailed in the service- level agreement (SLA. Ascertain your private cloud live up to that same SLA. If not, you may need to create SLAs based on expectations of the lesser of the two clouds and that may be your private cloud.Collect data on your private cloud's availability and performance and look for potential problems with integrating public and private clouds that could disrupt service. For example, if a key business driver for the private cloud is keeping sensitive and confidential data on-premises, then your SLA should reflect the limits to which you can use public cloud for some services.
4. Risk management
Information security is very difficult to manage risk for a business perspective. Cloud computing (hybrid cloud in particular) uses new application programming interfaces (APIs), requires complex network configurations, and pushes the limits of traditional system administrators' knowledge and abilities.These factors introduce new types of threats.
5. Security management
The existing security controls such as authentication, authorization and identity management should work in both the private and public cloud. To integrate these security protocols, we have one of two options: Either replicate controls in both clouds and keep security data synchronized, or use an identity management service that provides a single service to systems running in either cloud. Allocate sufficient time during your planning and implementation phases to address what could be fairly complex integration issues.
You have to be very confident that your public cloud provider can consistently meet expectations detailed in the service- level agreement (SLA. Ascertain your private cloud live up to that same SLA. If not, you may need to create SLAs based on expectations of the lesser of the two clouds and that may be your private cloud.Collect data on your private cloud's availability and performance and look for potential problems with integrating public and private clouds that could disrupt service. For example, if a key business driver for the private cloud is keeping sensitive and confidential data on-premises, then your SLA should reflect the limits to which you can use public cloud for some services.
4. Risk management
Information security is very difficult to manage risk for a business perspective. Cloud computing (hybrid cloud in particular) uses new application programming interfaces (APIs), requires complex network configurations, and pushes the limits of traditional system administrators' knowledge and abilities.These factors introduce new types of threats.
5. Security management
The existing security controls such as authentication, authorization and identity management should work in both the private and public cloud. To integrate these security protocols, we have one of two options: Either replicate controls in both clouds and keep security data synchronized, or use an identity management service that provides a single service to systems running in either cloud. Allocate sufficient time during your planning and implementation phases to address what could be fairly complex integration issues.
No comments:
Post a Comment