security in cloud computing overview
TRANSCRIPT
-
8/3/2019 Security in Cloud Computing Overview
1/8
Security in Cloud ComputingA Microsoft Perspective
January 2010
-
8/3/2019 Security in Cloud Computing Overview
2/8
1
2009 Microsoft Corporation. All rights reserved.
The information contained in this document represents the current view of Microsoft Corp. on the issues
discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it
should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the
accuracy of any information presented after the date of publication.
This white paper is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR
IMPLIED, IN THIS DOCUMENT.
Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights
under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval
system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording or
otherwise), or for any purpose, without the express written permission of Microsoft.
Microsoft may have patents, patent applications, trademarks, copyrights or other intellectual property rights
covering subject matter in this document. Except as expressly provided in any written license agreement
from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks,
copyrights or other intellectual property.
2009 Microsoft Corp. All rights reserved.
Microsoft, Bing, Hotmail, Microsoft Dynamics, MSN, and Windows Live are either registered trademarks or
trademarks of Microsoft Corp. in the United States and/or other countries. The names of actual companies
and products mentioned herein may be the trademarks of their respective owners.
Microsoft Corp. One Microsoft Way Redmond, WA 98052-6399 USA
-
8/3/2019 Security in Cloud Computing Overview
3/8
2
2009 Microsoft Corporation. All rights reserved.
Contents
Cloud Computing Evolution .................................................................................... 3
Cloud Computing Considerations ............................................................................ 4
Cloud Computing Benefits and Challenges ............................................................... 5
Closing ................................................................................................................. 7
-
8/3/2019 Security in Cloud Computing Overview
4/8
3
2009 Microsoft Corporation. All rights reserved.
Cloud Computing Evolution
The world of information technology is at a transitional moment. Internet-based data storage and
services also known as cloud computingare rapidly emerging to complement the traditional
model of running software and storing data on personal computers (PCs) and servers. Cloudcomputing enhances computing experiences by enabling users to access software applications and
data that are available on demand and are stored at off-site data centers or at an organization s1 on-
site data center, rather than on an individual device or PC.
The term cloud computing is not radically new and some services have long been offered in the
cloud.E-mail, instant messaging, business software, and Web content management are among the
many applications that are offered via a cloud environment. Many of these applications have been
offered remotely over the Internet for a number of years, which means that cloud computing might
not feel markedly different from the current Web for most people. (Technical readers will rightly cite
a number of distinct attributesincluding scalability, flexibility, and resource poolingas key
differentiators of the cloud. These types of technical attributes will not be addressed here as they
are outside the scope of this document.)
For example, traditional e-mail services run in provider data centers, with user data shared on e-mail
servers. But these older cloud services lack some of the key characteristics of the new cloud. They
are mainly mainstream software as a service models in the public cloud, in which the provider
controls everything from the underlying hardware to user authentication. Users cannot host their
own applications and their elasticity is limited. In addition, users are given finite storage space.
The term cloud computing refers to several different computing paradigms, not all of which are
completely new. For example, as the United States Institute of Science and Technology (NIST) has
explained,2 cloud computing has three service models:
1) Software as a Service, through which applications are provided in the cloud;2) Platform as a Service, through which a cloud provider permits users to create or run
applications using languages and tools supported by the provider while the provider
delivers the underlying infrastructure such as servers, operating systems, or storage; and
3) Infrastructure as a Service, through which a customer can deploy a computinginfrastructure similar to a virtualized environment.
The essential characteristics of all three models include self-service (a customer can access new
capabilities), shared resources, and rapid elasticity (e.g., as a business grows, it can rapidly add
additional processing power and storage).
Cloud services can be delivered as private clouds operated solely by or for one organization,
community clouds for organizations with similar service requirements, and public clouds where there
is one general service level agreement and data resides on shared resources.
The cloud model is far more flexible and interesting, and has important implications for security
and privacy-increasing security in certain areas but posing new risks as well.
1For the purposes of this document, an organization broadly describes a governmental or business entity, group, or team
2http://csrc.nist.gov/groups/SNS/cloud-computing/
http://csrc.nist.gov/groups/SNS/cloud-computing/http://csrc.nist.gov/groups/SNS/cloud-computing/http://csrc.nist.gov/groups/SNS/cloud-computing/http://csrc.nist.gov/groups/SNS/cloud-computing/ -
8/3/2019 Security in Cloud Computing Overview
5/8
4
2009 Microsoft Corporation. All rights reserved.
Services that operate in the cloud often work in tandem with a client application operating on the
desktop computer. For example, instant messaging and e-mail applications running on a computer
rely on the cloud infrastructure for their connected features and also require a client download. The
combination of client plus cloud offers individuals, governments, and businesses greater choice,
agility, and flexibility while also greatly increasing efficiency and lowering information technology
(IT) costs. It gives customers access to information, software, and services at lower cost and on a
range of intelligent devicesfrom PCs to mobile phones to televisions. As a result, this next
generation of computing has enormous potential to create new business opportunities and economic
growth.
As with other major technological transitions, the evolution of cloud computing has drawn
widespread attention and scrutiny in the news media. It has also raised policy questions concerning
how people, organizations, and governments handle information and interactions in this
environment. However, with regard to most security and data privacy questions, cloud computing
reflects the evolution of the Internet computing experiences we have long enjoyed, rather than a
revolution.
This paper examines, at a high level, the changes that this evolution will likely bring to computer
security and includes benefits as well as challenges.
Cloud Computing Considerations
To understand how cloud computing differs from traditional computing requires both an
understanding of the cloud shift and careful thought about how this new computing model affects
businesses and consumers.
The shift toward cloud computing has been underway for a number of years as part of an ongoing
evolution. Previously, information was stored largely in paper files in file rooms or off-premises
storage and delivered in person or through inter-office mail systems. Today, most data is stored on
computer servers outside the users immediate physical control and shared across international and
organization boundaries with multiple sources via new tools like email, collaborative websites, and
social networking. A key distinction of cloud computing is that information storage and processing
need not be limited by space or geography. Indeed, cloud computing users typically dont even need
to know how many virtual filing boxes they will need because the available space and processing
power scales to meet their needs.
By moving business applications or processes to the cloud, organizations may experience changes to
established IT practices. The off-premises cloud offers many potential advantages, including security
improvements. Yet there are, in fact, some important differences between the old world and the
new, and organizations need to consider these differences in business planning and riskmanagement.
What are some of the important differences between the cloud and the existing IT model, and how
should companies address those differences in their business planning? In the traditional enterprise,
an organization is responsible for all aspects of its people, processes, and technology. The
enterprise purchases the hardware, licenses the software, secures the data centers that house them,
and hires the people to run it.
-
8/3/2019 Security in Cloud Computing Overview
6/8
5
2009 Microsoft Corporation. All rights reserved.
As a result, an organization is responsible for managing:
1) The physical location of the data center (affecting which countrys law applies);
2) The security of the data center;
3) The trustworthiness of system administrators; and
4) The documented information security program that protects the confidentiality, integrity,
and availability of data and systems, including, but not limited to, configuration, patching,
incident response, and business continuity management.
By contrast, particularly in non-private clouds, many of these functions will be handled by a cloud
provider. Physical security for the data center will be managed by the cloud provider, and system
administrators may be employees of the cloud provider, not the organization using the cloud. One
could argue that this may be new for some, but not for those who have already outsourced critical
IT functions to third parties. However, there are elements of cloud services that represent
wholesale change. For example, to make cloud services capable of expanding flexibly, hardware will
be shared and the security boundary between different organizations may be virtual (virtualized
compartments) as opposed to physical (different hardware). Additionally, the on-the-fly allocation ofadditional resources might mean that the geographical location of data may be based on scalability
and availability or other factors versus security and jurisdictional considerations, especially when a
cloud provider has data centres in multiple jurisdictions.
While selecting which resources to use without concerns about physical location could lead to some
efficiencies, there may also be uncertainty as to which sovereign law will apply to handling the data.
Additionally, individuals in a government or enterprise may decide on their own to sign up for a
cloud service without consulting their IT department, leaving the company exposed to unmanaged
risks.
It is therefore important that organizations think clearly about the implications of cloud computing
and address those implicationsbefore embracing the cloud. In that regard, we offer some generalobservations and some specific challenges to consider.
Cloud Computing Benefits and Challenges
Cloud computing affects the security of organizations in several ways. One positive aspect of cloud
computing, as mentioned above, relates to the application of skilled resources. The fact is,
technology has spread around the globe far faster than people could be trained to manage it well,
even where technology solutions were created in a secure manner with secure defaults. The
aggregated assets handled by a cloud service operator take on new importance because of the scale
of the data in their control. However, cloud service providers investments in security personnel andpractices work to the benefit of all cloud customers.
Another positive benefit of cloud services relates to centralized data stored in large data centres,
which can be accessed from anywhere and is much easier to manage and protect than massive
decentralized data stores. For example, the use of data centers can minimize the risk of losing
critical company data that might otherwise be stored locally on a laptop computer or device, which
can easily be stolen or misplaced.
-
8/3/2019 Security in Cloud Computing Overview
7/8
6
2009 Microsoft Corporation. All rights reserved.
On the other hand, a cloud computing model also presents different risk management challenges.
The reliance on remote cloud services places a renewed importance on the resiliency and availability
of both the communications that connect the enterprise to the data center, and the availability of the
cloud service. Organizations must fully assess their needs and the capabilities of their carriers and
cloud service providers.
To the extent that quantities of data from many companies are centralized, this collection can
become an attractive target for criminals. Moreover, the physical security of the data center and the
trustworthiness of system administrators take on new importance. While decentralization may have
created its own challenges, aggregating the data today increases the potential damage that could be
caused when a data store is compromised.
The aggregation of data also raises new privacy issues. Some governments may decide to search
through data without necessarily notifying the data owner, depending on where the data resides.
Apart from governments, a question exists as to whether the cloud provider itself has any right to
see and access customer data. Some services today track user behaviour for a range of purposes,
from sending targeted advertising to improving services.
Interesting jurisdictional challenges for both security and privacy will also arise. Assume, for
example, a hacker breaks into Cloud Provider A and steals data from Company X. Assume, too, that
the compromised server also contained data from Companies Y and Z. Who investigates this crime?
Is it the Cloud Provider, even though Company X may fear that the provider will try to absolve itself
from responsibility? Is it Company X and, if so, does it have the right to see other data on that
server, including logs that may show access to the data of Companies Y and Z?
It is impossible, of course, to review and consider all of these areas and specific questions today. It
might even be impossible to know all the questions today. But understanding these issues does
allow those thinking about cloud services to ask some very pointed questions about whether to
embrace the cloud and, if so, how.
The first fundamental question relates to the type of cloud an organization should embrace. If an
organization wants to retain control over the physical assets and personnel operating the cloud, this
would suggest a private or community cloud offering managed by the enterprise itself or by a
trusted third party.
If, by contrast, an organizations risk management approach focuses less on direct control over
physical assets and the operational personnel, it may seek to reduce costs and increase flexibility by
outsourcing operations through cloud services. The key is to understand which pieces will be
retained and which will be managed by others. For example, an organization using the data center
and personnel of a cloud provider is essentially outsourcing those functions and should ask
traditional outsourcing questions. What are the security and privacy policies of the outsourcer?
How are they enforced? Is there transparency into these processes and are there trusted external
certifications? Are they regularly audited? What happens in the event of an incident? There are also
new questions to ask, such as: How does the elasticity offered by the provider affect the
geographical location of where my data might be stored?
An organization also needs to know what functions it wants to continue to control. For example,
who gets to decide what authentication mechanisms are used to access applications and data in the
cloud? Is it the cloud service provider, the cloud customer, or some third party? How does ad hoc
collaboration work in this environment?
-
8/3/2019 Security in Cloud Computing Overview
8/8
7
2009 Microsoft Corporation. All rights reserved.
Finally, it is worth noting that many people view the cloud as two simple categories: private or
public. But even today we are already in a much more complex environment, which includes
various hybrid models. An organization might have a business application(s) managed on-premises,
managed in a community cloud, or potentially distributed across different public cloud providers. The
choice or choices made will have a significant impact on the security approach taken, and the ability
to move data and applications into the cloud or back to on-premises management.
In Closing
Client-plus-cloud computing offers enhanced choice, flexibility, operational efficiency, and cost
savings for governments, businesses, and individual consumers. To take full advantage of these
benefits, reliable assurances regarding the privacy and security of online data must be provided. In
addition, a number of regulatory, jurisdictional, and public policy issues remain to be solved in order
for online computing to thrive.
Microsoft has been addressing many of these issues since 1994, when the company delivered its first
online services for consumers and enterprises. A breadth of experience over multiple years has
shaped the companys adherence to the security development lifecycle for secure coding design,
development, and deployment. Microsoft also has delivered a set of privacy principles that apply to
products and services, while ensuring corporate privacy policy compliance, product and service
development excellence, and overall business practices rigour. These components anchor Microsofts
commitment to maintaining the highest standards of privacy and security in online services and
partnering with other industry leaders, governments, and consumer organizations to develop globally
consistent security and privacy frameworks that increase the economic and social value of cloud-
based computing.