Oraganisations need to reduce costs, increase storage capacity, as well as automate the monitoring of IT envirnoments and the management of resources for disaster recovery and availability, so as to achieve flexible IT environment. The following are the challenges in the the traditional environment :
- Security systems utilise excessive amounts of resources
- Vulnerability scanning or monitoring tools may not detect vulnerability threat due to the fast growing volume of data
- Accurate and timely information about threats is not widely shared; information about the vulnerabilities remains with a smaller group and not all the stakeholders
- Audit systems are not built to operate on the dynamic nature of data centers
- Frequent failovers occur due to limitations on scalability
- Aggressive cost-cutting plans are degrading security program at a time when threat are escalating
- Security access privileges and roles are not as per standards.
Complexities of the underlying infrastructure in on-premise environments have attracted organisations to the cloud envirnoment to achieve agility, high availability and reliability. Thus an organisation's security and compliance requirements also need to be aligned and automated in an agile cloud envirnoment to realise the desired benefits of moving to the cloud.
Security in the cloud:
Cloud computing provides the next generation of Internet-based, scalable and distributed computing systems in which resources are offered 'as a services'. Today's IT organisations are under increasing pressure to securely deploy applicationsi n public, private or hybrid clouds. In addition to the usual challenges of developing secure IT systems, cloud computing presents an added level of risk because:
- Services are outsourced to a third party
- It requires moving an application into hostile territory
- Loss of governance
- Legal and contractual risks
Cloud security is basically about there goals or objectives :
Cloud Security and its compliance are the key components that are needed to protect cloud infrastructure against ever evolving new threats. It helps if organisations rationalise compliance requirements, controls, standard and best practices into centralized security policies administered consistently across virtual and physical infrastructures.
Identity and access management (IAM)
Unauthorised access to information resources in the cloud is a primary concern.
Confidentiality, integrity and availability (CIA) form the golden trio of data security. Data security becomes more important while using cloud computing.
At the network level of Infrastructure security, it is critical to distinguish between public and private clouds. With private clouds, there may not be new attacks, vulnerabilities or changes in risk that information security personnel need to consider. In public clouds, changing security requirements will warrant more attention considering that it is the cloud service provider that is in control of resources.
Virtualisation technologies enable multi-tenancy in cloud business models by providing a scalable and shared resources platform for all tenants. The threat of an unauthorised virtual machine (VM) is far higher because it is pretty easy to create and deploy virtual machines. Organisations needs to enforce strict policies on the use of such virtual machine envirnoments. VM images can be copied, along with data and applications that they hold. These images can be brought back online to an unsecured network. It becomes easier for an attacker to access the content managed within the copied image. Deployment of virtualisation in any organisation should be a controlled and policy-driven roll-out like any other computer platform, software or application.
Cloud resources such as servers, routers, storage devices and power supplies that support cloud operations should be physically secure. Safegaurds include the adequate control and monitoring of physical access using biometric access control measures and closed circuit televisions (CCTV) monitoring. Cloud service providers need to clearly explain how they manage physical access to the servers that host client workloads and support client data.