Bdigital’s Antoni Felguera and Mario Reyes discuss some of the security concerns surrounding cloud computing
Cloud Computing is a term used to describe the use of a collection of services, applications, data and infrastructure that can be rapidly orchestrated, provisioned and decommissioned. Cloud Service Providers (CSP) achieve this by using innovative architectures in which resources are virtualised and resource management is largely automated, thus providing an on-demand, cost-effective, elastically scalable utility-like model for meeting users' ICT requirements in different contexts.
While the economic advantages of clouds are now clear, the provision and use of clouds presents some challenges for the management of business and legal risks, especially for public clouds. These arise from the fact that the controller of a virtual device in the cloud rarely has physical control over the real devices on which it runs, nor even which devices are used or who else they may be shared with. This leads to ambiguities over who is legally or practically responsible for managing risks to the virtual device and its contents, especially where the physical and virtual device controllers are in different jurisdictions.
This is also true for research environments, where they frequently must assure a certain level of confidentiality and integrity regarding some sensible data when performing their experiments, such as personal or medical data, or taking into account different legislations when accessing, computing or storing some private or confidential data. This is usually addressed by setting up authorisation and access control mechanisms that allows us to know who and how is accessing what, and putting up conditional requirements for accessing the different resources depending on the nature and localisation of the data.
This and other issues have been already well identified as a set of core security challenges in different papers and reports, such as CSA Security Guidance v3. Nevertheless, the root of the problem remains the same: how can I manage the risk if I cannot manage the computing systems? Even if you can agree a Service Level Agreement (SLA) with your CSP, all the security controls you have are based in ‘trust’ (sometimes even faith). What can we do then?
To address this important issue, the international Cloud Computing security community and organisations, such as the CSA, NIST, or ENISA, have made efforts to identify and characterise the different associated risks. Some of them have introduced and invested in a different line of research based on ‘security-by-transparency’. For instance, CSP provide security information transparently to the client so that an audit of the measures deployed by the supplier could be carried out. Furthermore, there are a number of currently ongoing initiatives that provides a clear evidence of how important is the area of remote security auditing and assurance. These include, the CloudAudit, Trust Cloud Protocol and the Cloud STAR by CSA, SCAP by NIST, Cloud Computing Management Audit / Assurance Program by ISACA, TAC by CAMM, FedRamp by CIO.gov, O-ACEML by The Open Group, Conformace Testing Program by SNIA, and CADF by DMTF, to name a few.
The security audit information at CSP can provide the client with, is classified into i) documentation on legal and juridical framework, standards, internal procedures, rules, etc., ii) configuration information concerning clients' services and systems, and iii) information related to the monitoring and continuous tracking of activity (events).
The auditing information is particularly important in public deployment models where both the infrastructure and the service are managed by the CSP. In private deployment models, the resources are controlled by the client and the client therefore has the same opportunities to audit its IT systems as in more traditional, non Cloud-based approaches. More research, as the one we are performing at BDigital, is needed to enhance current capabilities of ensuring cloud-based computing models.
Antoni Felguera is head of Security, R&D group at BDigital, and Mario Reyes is senior researcher of Security, R&D group at BDigital.
BDigital (Barcelona Digital) is an advanced technology centre based in Spain that specialises in the application of Information and Communication Technologies (ICTs) in the fields of healthcare, security, mobility and energy.