Over the Cloud:
A Holistic Approach to Information Security in Cloud Environments

 

Definitions

Cloud Computing: the practice of using a network of remote servers hosted on the Internet to store, manage, and process data, rather than a local server or a personal computer. Information security: the practice of defending information from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction. It is a general term that can be
used regardless of the form the data may take (e.g. electronic, physical).

Article

Information Security has become an integral part of the Information Technology and the Compliance eco system. Essentially includes physical and logical security, it has gained more importance due the advancement in newer technologies in high speed internet connectivity, powerful gadgets and easier way of communication. The technological advances are also being used by terrorists and anti‐social elements for offensive utilization against humanity. Terrorist and even some of the countries are using technologies to gain power.

The organizations and country administrations, have to implement excellent infrastructure (IT and Non‐IT) to combat such negative forces. It is not only necessary to use process capabilities, resources and technologies for fighting with them, it has also become imperative for us to create stronger environments to prevent greater damages. It is also important for organizations to create alternatives ways to be able to recover the data & services, in case of any damage to the infrastructure, due to the lapse in security.

The current trends in security indicate that the security concerns of the leaders over the sharing of information over the internet is has not reduced. However, the organizations are inclined to use cloud environments to reduce costs and even for recovering services in a DR like situations. Several cloud service providers ensure the security measures, based on the needs of the customers with the latest implementations, equivalent to the on‐site/ customer premises. This ensures confidence of the customer that the data is as secure as at his own premises.

The surveys also indicate the criticality of the “inside” on‐roll employees in any organization, who are not only the primary assets of the organization; but also for information security. They become the highest level of risk, as hold the access control to several of crucial information of the organization. It therefore imperative for organizations to use appropriate HR processes to verify and validate the employee credentials to the fullest extent possible. This would reduce – although difficult to mitigate‐ the inherent risks due to the employees. This is irrespective of the employees in the organization using the services / infrastructure within their premises or using the services / infrastructure in an external environment (such as external Datacenters, Cloud, and Managed Services etc.). To emphasize further, it is important to realize that the core employees will have the access and control of crucial organizational data, even if the services are outsourced (IaaS, PaaS, SaaS)

For the concerned organizations it is necessary to have a holistic approach in managing the risks to the information / knowledge, essential in delivering customer centric services. The following are the critical risks the organizations would like to take care:

  1.  Data loss/leakage
  2.  Shared technology vulnerabilities
  3.  Insecure application interfaces
  4.  Malicious insiders
  5.  Abuse and nefarious use of Cloud computing
  6.  Unknown risk profile and account
  7.  Account, service and traffic hijacking

Conclusion

Although newer and specific procedures and processes such as the NIST Guidelines (SP500), ISO 27017 standards and CSA Guidelines (STAR) are to be adopted by most of the organizations, they also ensure that these implementations are encompassed by reputed standards such as ISO 27001:2013. This approach not only provides confidence in the minds of their customers, but also ensures that the management has a complete view & control of the deviations & costs, in additions to monitor improve the ability to manage information.

Note: All trademarks and intellectual properties are duly acknowledged. CSA®, AMPG® Cloud Computing Whitepaper, NIST®, ISO®

Abbreviations

CSA / STAR: Cloud Security Alliance / Security, Trust & Assurance Registry
NIST: National Institute of Standards and Technology
ISO®: International Standards Organization
IaaS, PaaS, SaaS: Infrastructure Platform, Software as a Service