When looking to move workload to cloud environments, most Chief Information Officers will say that security is the number one concern. To address those concerns, IT organizations must consider several aspects of security to ensure they do not put their organizations at risk as they explore cloud computing. Some of these concerns regarding security have to do with what the cloud provider's service and operational procedures, and other concerns, have to do with new processes that must be considered, and that did not have to be considered before in the traditional IT model.
To provide effective security for a cloud environment, both the cloud provider and consumer must partner to provide solutions to the following security concerns:
1) Governance and Enterprise Risk Management - The ability of an organization to govern and measure enterprise risk that is introduced by cloud computing. This concern includes items such as legal precedence for agreement breaches, ability of user organizations to adequately assess risk of a cloud provider, responsibility to protect sensitive data when both user and provider may be at fault
2) Compliance and Audit - Maintaining and proving compliance when using cloud computing. Issues involve evaluating how cloud computing affects compliance with internal security policies, and also various compliance requirements.
3) Application Security - Securing application software that is running on or being developed in the cloud. This concern includes items such as whether it is appropriate to migrate or design an application to run in the cloud.
4) Encryption and Key Management - Identifying proper encryption usage and scalable key management. This concern addresses access controls of both access to resources and for protecting data.
5) Identity and Access Management - Managing identities and leveraging directory services to provide access control. The focus is on issues that are encountered when extending an organization's identity into the cloud.
Although, Governance and Enterprise Risk Management are existing functions within most IT organizations, cloud computing introduces several unique challenges around this topic. Part of the responsibilities are that of the cloud provider, and other components are that of the consumer to ensure that the overall solution that is being leveraged meets the governance and Enterprise Risk Management standards of the organization. For example, in the IBM SmartCloud Enterprise offering, IBM requires its customers to secure the application and operating system that is being used, although IBM does provide a base operating system image with basic security configurations.
In addition, most organizations are bound by some form of security compliance guidelines. These guidelines and regulations do not change when moving a workload into the cloud environment. Therefore, consumers of cloud must look at their existing compliance and audit guidelines to ensure that the workloads they move to the cloud still comply with the guidelines by which their organizations are bound. Also, consumers must ensure that any audit requirements can still be met even though the workload has been moved into a cloud environment.
Securing application software that is running or being developed in the cloud is another consideration for security. Standard application security might need to be changed or enhanced based on a cloud provider's environment or customer requirements. Encryption and Key Management becomes critical when moving a workload to the cloud. Using encryption and a scalable key management solution must be considered when leveraging cloud solutions. For example, IBM SmartCloud Enterprise provides a robust key management system for secure access to all Linux compute resources.
Finally, Identity and Access Management is critical to the success of cloud solutions. This ensures only authenticated and authorized individuals get access to the correct components of the workloads that are hosted in cloud solutions. Solutions such as Tivoli® Access Manager with its WebSEAL reverse proxy can help with the authorization of individuals; solutions such as Tivoli Identity Manager can help with the authentication of users.
Summary
When addressing security in a cloud environment, consider five key areas to help ensure that your cloud provider and you as consumers of cloud are creating a cloud solution that meets the business needs. It is critical to consider the governance and enterprise risk aspects of cloud computing along with the compliance and audit implications to the organization. In addition, application security concerns such as encryption, key management, and identity and access management must be addressed to ensure security risks are mitigated in a cloud environment. Although many of these disciplines exist in traditional IT, many of the disciplines must be reviewed when you move workload to a cloud environment.