It seems that you can’t go anywhere these days without hearing talks about cloud computing and how this new paradigm shift is going to change the use of the Internet in the coming years. But you can also hear that one of the biggest concerns is information security and privacy for information being passed around on this new way of using the Internet. But could it be true that Information Security might be better in Cloud Computing? The answer to this question for cloud based architectures involving Software as a Service (SAAS) will most commonly precede with “it depends”. As always, it mostly depends on the decisions made during the (hopeful) use of processes for application security development being adhered to during the SDLC. Coming to the conclusion that an external cloud based service is better for a computing solution should only be done after careful analysis of all options for a given solution and therefore, external cloud architecture should not be predetermined. This meaning the use of cloud based computing should not be forced but considered as an option in the design and architecture phases for a solution.
The “cloud” type services have actually been in use for some time now but more recently the focus to how these services can be more defined and beneficial for service providers and consumers. For years now, organizations have hosted services like web, e-commerce, and email to service providers only to name a few. Additionally, routers and DNS services have been in use since the beginning of the Internet sending our email and web traffic from customers to partners without SLA’s for every path each bit traverses. Where the data security is concerned, security capabilities like PKI trust models and encryption technology have been added on to keep that data secure over insecure environments. Much will be the same as we move to cloud based architectures but the greatest part for the sake of security is that many related concerns can be raised in the beginning and at the design and architecture levels addressing security concerns ahead of time rather than adding security on top of existing solutions.
With cloud based architectures among the options for providing a solution, misconceptions are common as manufacturer’s market products for the cloud. Benefits being presented will include reduced total cost of ownership, lower initial costs for deployments, disaster recovery services, security control capabilities like system patch management and updates, and scalability as the need for more throughput arises. These benefits will be especially great for organizations deploying solutions with minimal internal capabilities to provide these services. Having a strategy and plan that includes cloud computing could allow for the most lucrative benefits. For more information on the direction of cloud computing at Intel, you can review the Enterprise Private Cloud Architecture and Implementation Roadmap or the Cloud Security related topics on Intel’s IT Center.
The shift to cloud computing should not change the need for baked in security requirements from the start. The hope is that security and privacy concerns can be at the forefront of requirements for any solution being deployed with public or private cloud based architecture. On one hand, the service providers will be reaching out for business and on the other, companies will be carefully evaluating whether to take the leap. For the larger organization, moving to cloud centric computing will most likely require the decoupling of many existing solutions for careful scrutiny and understanding of the threat landscape. This could even bring to light some needed mitigation for such threats that may not have been thought of before. The challenge for the cloud is that it is not just the technical aspect for there are other legal agreements and trust ramifications to consider. Organizations should consider a private cloud before migrating to public cloud (service provider) so that evaluation of security ramifications can become more prevalent over time and only move to the public cloud that which makes sense. The evaluation can provide more opportunity for security at the forefront of the technology, or the decision to use public cloud architectures can be avoided altogether. Not to say that every solution that becomes more cloud centric will be more secure but that many of the concepts for mitigations of common threats will likely be proactively offered as standards by service providers in external cloud services.
Cloud computing will bring about a change in the physical boundaries of data and moving that data between trusted partners securely and reliably. This capability will require encryption and trust models being constantly evaluated to ensure the latest security capabilities are being used properly. This capability may be enhanced by using the right service provider in the external cloud. It will be important that service providers use cloud based computing architects that understand the capabilities in technology like Intel® Trusted Execution Technology (Intel® TXT) and the impact of the latest Intel based Xeon Processors integrated Intel AES New Instructions (AES-NI) to achieve accelerated encryption and decryption. Cloud computing consumers will soon have greater access to the latest technology for security and performance because of the shared cost associated with cloud based architectures. Additionally, technology must continue to advance in the capability to protect data which may be easier implemented by the service provider that specializes in the protection of data in the external (public) cloud. So if risk and security conserns are at the forefront of discussions for moving to a cloud based architecture, information security in the cloud could be better.