Posts Tagged ‘security and privacy

Trust challenges of Cloud computing

The Security and Privacy challenges discussed above are also relevant to the general requirement upon Cloud suppliers to provide trustworthy services. If Cloud providers find adequate solutions to address the data privacy and security specificities of their business model,they will have met in a certain way the requirement of offering trusted services. Yet, there are a few other challenges which, if tackled properly, would enhance users confidence in the application of Cloud computing and would build market trust in the Cloud service offerings.

Continuity and Provider Dependency - The increasing complexity of Cloud architectures and the resulting lack of transparency also increase the security risk. In many Cloud implementations, the centralized management and control introduces several so-called single points of failure. These could threaten the availability of Cloud users’ data or computing capabilities indirectly, as a small incident in the Cloud could have an exponential impact.

Compliance with applicable regulations and good practices - If privacy is one regulatory area particularly relevant to Cloud computing, it is certainly not the only area. Once the applicable law to a Cloud service is determined, the provider will need to comply with other regulations than privacy, such as: General civil law and contract law, Consumer protection law, “e-commerce regulation”, Fair trade practices law.

Change in Cloud ownership and “Force Majeure”- The Cloud market is still immature and the situation of global economy may affect some of the Cloud industry players too in the coming months or year(s). Accordingly, users of the Cloud must be confident that the services externalized to the Cloud provider, including any important assets (personal data, confidential information)will not be disrupted as it was discussed above(“Continuity and Provider Dependency”).

Trust enhancement through assurance mechanisms – By definition, the Cloud-computing concept cannot guarantee full, continuous and complete control of the Cloud users over their assets. For these reasons, the establishment of appropriate “checks and controls” to ascertain that Cloud providers meet their obligations becomes very relevant for Cloud users (for example,through adherence to generally-accepted standards).

Despite security, privacy and trust concerns, the benefits offered by Cloud computing are too significant to ignore. Thus, rather than discarding cloud computing because of the risks involved, the Cloud participants should work to overcome them so that they can maximize the benefits (e.g. reduced cost, increased storage, flexibility, mobility, etc.). Cloud users should become Risk Intelligent by taking a proactive approach to managing risks and challenges in Privacy, Security and Trust. Risk will become an even more important part of doing business when adopting Cloud concepts.

Risk can then provide both opportunity and peril: poorly managed, it allows a security breach by a hacker or a disgruntled employee, exposing an organisation to potential loss and liability. Effectively addressed, it enables management to exploit e-channels, mobile offices and process efficiency gains and positive results. The Risk Intelligent C-suite should manage information security from the perspective of making money by taking intelligent risks, avoiding losing money by failing to manage risk intelligently.

 

Tags : , , , , , , , , , ,

Public Cloud Outsourcing

Although cloud computing is a new computing paradigm, outsourcing information technology services is not. The steps that organizations take remain basically the same for public clouds as with other, more traditional, information technology services, and existing guidelines for outsourcing generally apply as well. What does change with public cloud computing, however,is the potential for increased complexity and difficulty in providing adequate oversight to maintain accountability and control over deployed applications and systems throughout their life cycle. This can be especially daunting when non-negotiable SLAs are involved, since responsibilities normally held by the organization are given over to the cloud provider with little recourse for the organization to address problems and resolve issues, which may arise, to its satisfaction.

Reaching agreement on the terms of service of a negotiated SLA for public cloud services can be a complicated process fraught with technical and legal issues. Migrating organizational data and functions into the cloud is accompanied by a host of security and privacy issues to be addressed, many of which concern the adequacy of the cloud provider’s technical controls for an organization’s needs. Service arrangements defined in the terms of service must also meet existing privacy policies for information protection, dissemination and disclosure. Each cloud provider and service arrangement has distinct costs and risks associated with it. A decision based on any one issue can have major implications for the organization in other areas.

Considering the growing number of cloud providers and range of services offered, organizations must exercise due diligence when moving functions to the cloud. Decision making about new services and service arrangements entails striking a balance between benefits in cost and productivity versus drawbacks in risk and liability.

Tags : , , , , , , ,