Navigating the Security Maze for Cloud Computing

Posted: February 06, 2013

Cloud computing is a very popular topic. Here is an article that provides information on the security of the cloud.

Wired published a good article titled Navigating the Security Maze for Cloud Computing.

"Cloud computing offers a value proposition that is different from traditional enterprise IT environments. By providing a way to exploit virtualization and aggregate computing resources, cloud computing can offer economies of scale that would otherwise be unavailable. The elastic nature of cloud computing provides near immediate access to resources. This is in contrast to the traditional approach of investing capital, resources and time in designing and implementing infrastructure (hardware and middleware). This allows organizations to drive to realize business benefits faster by shortening time to market.

Understand the benefits and risks

While the benefits of cloud computing can be very persuasive, consumers must have a clear understanding of potential security benefits and risks of a potential cloud provider. This allows a consumer to set realistic expectations with their internal business partners as well as the cloud provider. Transitioning to public cloud computing involves a transfer of responsibility and control to the cloud provider over information as well as system components that were previously under the organization’s direct control. The transition is usually accompanied by loss of direct control over the management of operations and also a loss of influence over decisions made about the computing environment.

While security risks need to be addressed, use of cloud computing provides opportunities for innovation in provisioning security services that hold the prospect of improving the overall security of many organizations. Cloud service providers should be able to offer advanced facilities for supporting security and privacy due to their economies of scale and automation capabilities – potentially a boon to all consumer organizations, especially those who have limited numbers of personnel with advanced security skills.

As consumers transition their applications and data to use cloud computing, it is critically important that the level of security provided in the cloud environment be equal to or better than the security provided by their traditional IT environment. Failure to ensure appropriate security protection could ultimately result in higher costs and potential loss of business thus eliminating any of the potential benefits of cloud computing.

Scrutinize the SLA

Despite this inherent loss of control, the cloud service consumer still needs to take responsibility for their use of cloud computing services in order to maintain situational awareness, weigh alternatives, set priorities and affect changes in security and privacy that are in the best interest of the organization. The consumer achieves this by ensuring that the contract with the provider and its associated service level agreement (SLA) has appropriate provisions for security and privacy.

In particular, the SLA must help maintain legal protections for privacy relating to data stored on the provider’s systems. The consumer must also ensure appropriate integration of the cloud computing services with their own systems for managing security and privacy. The requirement for a strong and fair contract and SLA puts the onus on the cloud consumer. It is extremely important that the consumer understand the service levels of the provider prior to accepting any inherent risks that the structure may set forth.


An excellent resource that can help consumers with the security maze of cloud computing is the “Security for Cloud Computing: 10 Steps to Ensure Success” white paper recently published by the Cloud Standards Customer Council (CSCC). The CSCC is an end user advocacy group dedicated to accelerating cloud’s successful adoption, and drilling down into the standards, security and interoperability issues surrounding the transition to the cloud.

The CSCC white paper provides a prescriptive series of steps that should be taken by cloud consumers to evaluate and manage the security of their cloud environment with the goal of mitigating risk and delivering an appropriate level of support. The following steps are discussed in detail:

  1. Ensure effective governance, risk and compliance processes exist
  2. Audit operational and business processes
  3. Manage people, roles and identities
  4. Ensure proper protection of data and information
  5. Enforce privacy policies
  6. Assess the security provisions for cloud applications
  7. Ensure cloud networks and connections are secure
  8. Evaluate security controls on physical infrastructure and facilities
  9. Manage security terms in the cloud SLA
  10. Understand the security requirements of the exit process

Combined with a previous CSCC white paper on how cloud consumers should manage cloud contracts and Service Level Agreements (SLAs), the security paper is aimed at giving good information and advice to people who don’t have deep security expertise. It provides a step-by-step “here’s how” for cloud consumers to get through the process with some cautions.

The iNSOL enterprise cloud solutions are private, secure, and customized to meet your needs.  To learn more contact us at