Demystifying cloud computing security
by Mirko Zorz - Monday, 10 October 2011.
Phil Neray is the VP, Data Security Strategy, InfoSphere Guardium & Optim at IBM. In this interview Phil talks about the complex issues surrounding cloud computing security, offers insight into what companies migrating to the cloud can expect and lines up tips for those who have to consider migrating to a cloud computing solution for mission-critical IT services.

Although cloud computing has been widely accepted in the enterprise and its usage is growing exponentially, many are still worried about the security risks. IT managers have nightmares about insecure APIs and interfaces as well as possible account hijackings. How can a company be sure they are getting a secure cloud computing solution whose implementation is secure from every possible aspect?

While cloud technology and virtualization technologies provide many important benefits including increased agility, on-demand scalability and lower costs, they also offer unique security challenges for enterprises.

According to the National Institute of Standards and Technology there are three types of service models for cloud computing, with each providing enterprises with varying levels of control over security capabilities:

1. Software as a Service (SaaS) – In this deployment model, the cloud provider delivers the entire stack including the application itself as a hosted service. Examples of SaaS offerings include, Gmail and Lotus Live collaboration services. With SaaS, enterprises have little direct control over critical security capabilities such as data encryption or compliance auditing and activity monitoring. However, enterprises are still legally responsible for the confidentiality and integrity of their customer data and other sensitive information. The recommended approach is to ensure – via RFPs and contractual commitments -- that your SaaS provider is providing the critical security capabilities you needed.

2. Platform as a Service (PaaS) – In the PaaS deployment model, the cloud provider delivers an application development platform – including programming languages and APIs – for creating applications on their cloud infrastructure. The enterprise doesn’t manage or control the underlying cloud infrastructure (network, servers, operating systems, or storage) but has control over the deployed applications and possibly application hosting environment configurations. Examples of PaaS offerings include Microsoft Windows Azure, and Google App Engine. There is more control over security with PaaS than with the SaaS model, but as the provider is still responsible for most security capabilities, enterprises should rely primarily on contractual commitments to meet their security needs.

3. Infrastructure as a Service (IaaS) – With IaaS, the enterprise controls most of the stack including operating systems, storage, and deployed applications. Examples include Amazon EC2, RackSpace Cloud Servers and IBM SmartCloud Enterprise. Enterprises typically have direct control over security components such as data encryption, host firewalls and activity monitoring.


Harnessing artificial intelligence to build an army of virtual analysts

PatternEx, a startup that gathered a team of AI researcher from MIT CSAIL as well as security and distributed systems experts, is poised to shake up things in the user and entity behavior analytics market.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Thu, Feb 4th