What is cloud computing? In its most basic form, cloud computing is outsourced hosting of data and services. It's often referred to as utility computing or grid computing.
There is no loss of praise for cloud computing. The many benefits being touted by industry press and analysts include cost savings, being "Green" and achieving on-demand access to applications from anywhere. That is, until we start talking about the potential risks and security implications of leveraging cloud computing.
The three basic tenets of information security and assurance are confidentiality, integrity, and availability, also known as CIA.
Confidentiality provides that information is only accessible to intended parties. Integrity ensures that the information has not been modified. Availability implies that information is available when it is needed.
Applying the concepts of CIA to cloud computing environments at a cursory level, these are a few questions you should ask your cloud computing provider:
- From a confidentiality perspective, what controls are in place to ensure that other cloud customers can't view personal or organizational data?
- What about integrity; what assurances are provided that data has not been changed while "in the cloud."
- From an availability perspective, how can you ensure that data will be available and will be in a usable form when it is most needed?
- Where is the empirical evidence to prove any security assertions provided? Has an independent third party assessed your cloud computing environment?
This discussion should provide you with a good starting point to determine if cloud computing makes sense for your environment based on the security controls provided in the cloud.
Ben Halpert, CISSP, is an information security researcher and practitioner and writes monthly about security. Comments, questions and requests can be sent to him at email@example.com; please include SECURITY in the subject line.