Cloud Security

Now most of the company wants to embrace cloud computing but security is one of the main concern for these companies. Still CEO or CTO of the companies are feeling uncomfortable to use cloud computing. As an Architect, I also feel this is the one of the main area that cloud based application should focus. According to Gartner, There are seven risk factors for cloud computing.

1. Privileged user access
2. Regulatory compliance
3. Data location
4. Data segregation
5. Recovery
6. Investigative support
7. Long-term viability

There are different levels of risk for different type of cloud. Public cloud is front runner in risk among all other types of cloud.
In top of these risks still companies are thinking about cloud implementation in their organization. Companies are saying, risk is everywhere and you should mitigate these risks or overcome these risks.
Cloud is on demand service by provider to consumer, so there should be good understanding of cloud security between provider and consumer like good service level agreement and contract requirement between provider and consumer.
Here are few points to mitigate risks on cloud.

1. Secure logon – In cloud make sure every user has unique user id with proper authorization on cloud. It should be managed properly and it should access directory structure to provide access control.


2. Encrypted data – When you are accessing data on cloud particularly SAAS on public cloud, data should be properly encrypted and it should follow government privacy law (GLBA, DPPA, FCRA, HIPAA, etc.).

3. Secure Data backup – Data backup is one of the key areas where provider and subscriber should focus about security. There should be clear understanding between provider and subscriber in SLA (Service Level Agreement) about data backup security. There should be secure tool to data transfer, backup data and restore data in cloud.


4. Virtualization Security – Virtualization is back bone of cloud computing. There are multiple risks associated with hardware or software virtualization like VM (Virtual machine) isolation, hypervisor or multi-tenancy. To mitigate risk there should be strong and clear isolation level among different VM. There should be good administrative access and control of VM and also good reporting and logging tool for different VM and administration.

5. Application Security — There are big challenges of application security in different layers of cloud as SAAS, PAAS or IAAS. Application vulnerability is available in almost all level and layer of cloud. To mitigate application vulnerability in cloud we should focus on some of security point as given below.

a) Secure communication between application host machine and consumer.

b) Audit and review the application security on cloud in each level of SDLC (Software
    Development Life Cycle).

c) There should be clear security SLA (Service Level Agreement) of application between
    cloud provider and consumer for each layer of clouds (SAAS, PAAS, and IAAS).

d) Encrypted Application data should transit over network.