security in cloud computing overview

8/3/2019 Security in Cloud Computing Overview

1/8

Security in Cloud ComputingA Microsoft Perspective

January 2010


2/8

1

2009 Microsoft Corporation. All rights reserved.

The information contained in this document represents the current view of Microsoft Corp. on the issues

discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it

should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the

accuracy of any information presented after the date of publication.

This white paper is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR

IMPLIED, IN THIS DOCUMENT.

Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights

under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval

system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording or

otherwise), or for any purpose, without the express written permission of Microsoft.

Microsoft may have patents, patent applications, trademarks, copyrights or other intellectual property rights

covering subject matter in this document. Except as expressly provided in any written license agreement

from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks,

copyrights or other intellectual property.

2009 Microsoft Corp. All rights reserved.

Microsoft, Bing, Hotmail, Microsoft Dynamics, MSN, and Windows Live are either registered trademarks or

trademarks of Microsoft Corp. in the United States and/or other countries. The names of actual companies

and products mentioned herein may be the trademarks of their respective owners.

Microsoft Corp. One Microsoft Way Redmond, WA 98052-6399 USA


3/8

2


Contents

Cloud Computing Evolution .................................................................................... 3

Cloud Computing Considerations ............................................................................ 4

Cloud Computing Benefits and Challenges ............................................................... 5

Closing ................................................................................................................. 7


4/8

3


Cloud Computing Evolution

The world of information technology is at a transitional moment. Internet-based data storage and

services also known as cloud computingare rapidly emerging to complement the traditional

model of running software and storing data on personal computers (PCs) and servers. Cloudcomputing enhances computing experiences by enabling users to access software applications and

data that are available on demand and are stored at off-site data centers or at an organization s1 on-

site data center, rather than on an individual device or PC.

The term cloud computing is not radically new and some services have long been offered in the

cloud.E-mail, instant messaging, business software, and Web content management are among the

many applications that are offered via a cloud environment. Many of these applications have been

offered remotely over the Internet for a number of years, which means that cloud computing might

not feel markedly different from the current Web for most people. (Technical readers will rightly cite

a number of distinct attributesincluding scalability, flexibility, and resource poolingas key

differentiators of the cloud. These types of technical attributes will not be addressed here as they

are outside the scope of this document.)

For example, traditional e-mail services run in provider data centers, with user data shared on e-mail

servers. But these older cloud services lack some of the key characteristics of the new cloud. They

are mainly mainstream software as a service models in the public cloud, in which the provider

controls everything from the underlying hardware to user authentication. Users cannot host their

own applications and their elasticity is limited. In addition, users are given finite storage space.

The term cloud computing refers to several different computing paradigms, not all of which are

completely new. For example, as the United States Institute of Science and Technology (NIST) has

explained,2 cloud computing has three service models:

1) Software as a Service, through which applications are provided in the cloud;2) Platform as a Service, through which a cloud provider permits users to create or run

applications using languages and tools supported by the provider while the provider

delivers the underlying infrastructure such as servers, operating systems, or storage; and

3) Infrastructure as a Service, through which a customer can deploy a computinginfrastructure similar to a virtualized environment.

The essential characteristics of all three models include self-service (a customer can access new

capabilities), shared resources, and rapid elasticity (e.g., as a business grows, it can rapidly add

additional processing power and storage).

Cloud services can be delivered as private clouds operated solely by or for one organization,

community clouds for organizations with similar service requirements, and public clouds where there

is one general service level agreement and data resides on shared resources.

The cloud model is far more flexible and interesting, and has important implications for security

and privacy-increasing security in certain areas but posing new risks as well.

1For the purposes of this document, an organization broadly describes a governmental or business entity, group, or team

2http://csrc.nist.gov/groups/SNS/cloud-computing/
http://csrc.nist.gov/groups/SNS/cloud-computing/http://csrc.nist.gov/groups/SNS/cloud-computing/http://csrc.nist.gov/groups/SNS/cloud-computing/http://csrc.nist.gov/groups/SNS/cloud-computing/


5/8

4


Services that operate in the cloud often work in tandem with a client application operating on the

desktop computer. For example, instant messaging and e-mail applications running on a computer

rely on the cloud infrastructure for their connected features and also require a client download. The

combination of client plus cloud offers individuals, governments, and businesses greater choice,

agility, and flexibility while also greatly increasing efficiency and lowering information technology

(IT) costs. It gives customers access to information, software, and services at lower cost and on a

range of intelligent devicesfrom PCs to mobile phones to televisions. As a result, this next

generation of computing has enormous potential to create new business opportunities and economic

growth.

As with other major technological transitions, the evolution of cloud computing has drawn

widespread attention and scrutiny in the news media. It has also raised policy questions concerning

how people, organizations, and governments handle information and interactions in this

environment. However, with regard to most security and data privacy questions, cloud computing

reflects the evolution of the Internet computing experiences we have long enjoyed, rather than a

revolution.

This paper examines, at a high level, the changes that this evolution will likely bring to computer

security and includes benefits as well as challenges.

Cloud Computing Considerations

To understand how cloud computing differs from traditional computing requires both an

understanding of the cloud shift and careful thought about how this new computing model affects

businesses and consumers.

The shift toward cloud computing has been underway for a number of years as part of an ongoing

evolution. Previously, information was stored largely in paper files in file rooms or off-premises

storage and delivered in person or through inter-office mail systems. Today, most data is stored on

computer servers outside the users immediate physical control and shared across international and

organization boundaries with multiple sources via new tools like email, collaborative websites, and

social networking. A key distinction of cloud computing is that information storage and processing

need not be limited by space or geography. Indeed, cloud computing users typically dont even need

to know how many virtual filing boxes they will need because the available space and processing

power scales to meet their needs.

By moving business applications or processes to the cloud, organizations may experience changes to

established IT practices. The off-premises cloud offers many potential advantages, including security

improvements. Yet there are, in fact, some important differences between the old world and the

new, and organizations need to consider these differences in business planning and riskmanagement.

What are some of the important differences between the cloud and the existing IT model, and how

should companies address those differences in their business planning? In the traditional enterprise,

an organization is responsible for all aspects of its people, processes, and technology. The

enterprise purchases the hardware, licenses the software, secures the data centers that house them,

and hires the people to run it.


6/8

5


As a result, an organization is responsible for managing:

1) The physical location of the data center (affecting which countrys law applies);

2) The security of the data center;

3) The trustworthiness of system administrators; and

4) The documented information security program that protects the confidentiality, integrity,

and availability of data and systems, including, but not limited to, configuration, patching,

incident response, and business continuity management.

By contrast, particularly in non-private clouds, many of these functions will be handled by a cloud

provider. Physical security for the data center will be managed by the cloud provider, and system

administrators may be employees of the cloud provider, not the organization using the cloud. One

could argue that this may be new for some, but not for those who have already outsourced critical

IT functions to third parties. However, there are elements of cloud services that represent

wholesale change. For example, to make cloud services capable of expanding flexibly, hardware will

be shared and the security boundary between different organizations may be virtual (virtualized

compartments) as opposed to physical (different hardware). Additionally, the on-the-fly allocation ofadditional resources might mean that the geographical location of data may be based on scalability

and availability or other factors versus security and jurisdictional considerations, especially when a

cloud provider has data centres in multiple jurisdictions.

While selecting which resources to use without concerns about physical location could lead to some

efficiencies, there may also be uncertainty as to which sovereign law will apply to handling the data.

Additionally, individuals in a government or enterprise may decide on their own to sign up for a

cloud service without consulting their IT department, leaving the company exposed to unmanaged

risks.

It is therefore important that organizations think clearly about the implications of cloud computing

and address those implicationsbefore embracing the cloud. In that regard, we offer some generalobservations and some specific challenges to consider.

Cloud Computing Benefits and Challenges

Cloud computing affects the security of organizations in several ways. One positive aspect of cloud

computing, as mentioned above, relates to the application of skilled resources. The fact is,

technology has spread around the globe far faster than people could be trained to manage it well,

even where technology solutions were created in a secure manner with secure defaults. The

aggregated assets handled by a cloud service operator take on new importance because of the scale

of the data in their control. However, cloud service providers investments in security personnel andpractices work to the benefit of all cloud customers.

Another positive benefit of cloud services relates to centralized data stored in large data centres,

which can be accessed from anywhere and is much easier to manage and protect than massive

decentralized data stores. For example, the use of data centers can minimize the risk of losing

critical company data that might otherwise be stored locally on a laptop computer or device, which

can easily be stolen or misplaced.


7/8

6


On the other hand, a cloud computing model also presents different risk management challenges.

The reliance on remote cloud services places a renewed importance on the resiliency and availability

of both the communications that connect the enterprise to the data center, and the availability of the

cloud service. Organizations must fully assess their needs and the capabilities of their carriers and

cloud service providers.

To the extent that quantities of data from many companies are centralized, this collection can

become an attractive target for criminals. Moreover, the physical security of the data center and the

trustworthiness of system administrators take on new importance. While decentralization may have

created its own challenges, aggregating the data today increases the potential damage that could be

caused when a data store is compromised.

The aggregation of data also raises new privacy issues. Some governments may decide to search

through data without necessarily notifying the data owner, depending on where the data resides.

Apart from governments, a question exists as to whether the cloud provider itself has any right to

see and access customer data. Some services today track user behaviour for a range of purposes,

from sending targeted advertising to improving services.

Interesting jurisdictional challenges for both security and privacy will also arise. Assume, for

example, a hacker breaks into Cloud Provider A and steals data from Company X. Assume, too, that

the compromised server also contained data from Companies Y and Z. Who investigates this crime?

Is it the Cloud Provider, even though Company X may fear that the provider will try to absolve itself

from responsibility? Is it Company X and, if so, does it have the right to see other data on that

server, including logs that may show access to the data of Companies Y and Z?

It is impossible, of course, to review and consider all of these areas and specific questions today. It

might even be impossible to know all the questions today. But understanding these issues does

allow those thinking about cloud services to ask some very pointed questions about whether to

embrace the cloud and, if so, how.

The first fundamental question relates to the type of cloud an organization should embrace. If an

organization wants to retain control over the physical assets and personnel operating the cloud, this

would suggest a private or community cloud offering managed by the enterprise itself or by a

trusted third party.

If, by contrast, an organizations risk management approach focuses less on direct control over

physical assets and the operational personnel, it may seek to reduce costs and increase flexibility by

outsourcing operations through cloud services. The key is to understand which pieces will be

retained and which will be managed by others. For example, an organization using the data center

and personnel of a cloud provider is essentially outsourcing those functions and should ask

traditional outsourcing questions. What are the security and privacy policies of the outsourcer?

How are they enforced? Is there transparency into these processes and are there trusted external

certifications? Are they regularly audited? What happens in the event of an incident? There are also

new questions to ask, such as: How does the elasticity offered by the provider affect the

geographical location of where my data might be stored?

An organization also needs to know what functions it wants to continue to control. For example,

who gets to decide what authentication mechanisms are used to access applications and data in the

cloud? Is it the cloud service provider, the cloud customer, or some third party? How does ad hoc

collaboration work in this environment?


8/8

7


Finally, it is worth noting that many people view the cloud as two simple categories: private or

public. But even today we are already in a much more complex environment, which includes

various hybrid models. An organization might have a business application(s) managed on-premises,

managed in a community cloud, or potentially distributed across different public cloud providers. The

choice or choices made will have a significant impact on the security approach taken, and the ability

to move data and applications into the cloud or back to on-premises management.

In Closing

Client-plus-cloud computing offers enhanced choice, flexibility, operational efficiency, and cost

savings for governments, businesses, and individual consumers. To take full advantage of these

benefits, reliable assurances regarding the privacy and security of online data must be provided. In

addition, a number of regulatory, jurisdictional, and public policy issues remain to be solved in order

for online computing to thrive.

Microsoft has been addressing many of these issues since 1994, when the company delivered its first

online services for consumers and enterprises. A breadth of experience over multiple years has

shaped the companys adherence to the security development lifecycle for secure coding design,

development, and deployment. Microsoft also has delivered a set of privacy principles that apply to

products and services, while ensuring corporate privacy policy compliance, product and service

development excellence, and overall business practices rigour. These components anchor Microsofts

commitment to maintaining the highest standards of privacy and security in online services and

partnering with other industry leaders, governments, and consumer organizations to develop globally

consistent security and privacy frameworks that increase the economic and social value of cloud-

based computing.

security in cloud computing overview

Documents