I am talking a lot about Cloud Security. There are a few observations I made:
- Even though a lot of people are talking about the Cloud, there is still not too much knowledge about it. What is a private Cloud versus a public Cloud? What is Infrastructure as a Service, Platform as a Service, Application as a Service? And where are the key differences when it comes to risks?
- A lot of businesses look at it as an all or nothing. This is simply a massive mistake. There are workloads (like your identity management) you will wait a really long time until you move it to the Cloud and keep on premise. There are others, you might want to move immediately to the public Cloud and some of it will stay in a private Cloud.
- There is a lot of fear out there and not a lot of frameworks, which can help with to bring the whole discussion to rational level. Actually, there is a lot of material out there but not a lot, which is simple to read and consume.
That’s the reason, why Doug Cavit and me wrote the Cloud Computing Security Considerations about an year ago. We came up with 5 points to be considered, when looking at the Cloud from a security perspective:
- Compliance and Risk Management: Organisations shifting part of their business to the cloud are still responsible for compliance, risk, and security management.
- Identity and Access Management: Identities may come from different providers, and providers must be able to federate from on-premise to the cloud, as well as to enable collaboration across organisation and country borders.
- Service Integrity: Cloud-based services should be engineered and operated with security in mind, and the operational processes should be integrated into the organisation’s security management.
- Endpoint Integrity: As cloud-based services originate–and are then consumed–on-premise, the security, compliance, and integrity of the endpoint have to be part of any security consideration.
- Information Protection: Cloud services require reliable processes for protecting information before, during, and after the transaction.
These five considerations are very well received and seem to work well for the customers to address part of the points above. The number 1 question I got, however, was: How can apply this to the different scenarios?
Therefore I am happy to announce, that we just released a paper to the web called: Addressing Cloud Computing Security Considerations with a Partner Private Cloud.
We show you how to split responsibilities between the partner and the customer and what the considerations mean for both sides – as always, your feedback is more than welcome!
Finally, stay tuned: In a few days, we will do the same with the public Cloud. This time, however focused on Office365. As soon as we go live with Office365, we will publish it.