Security in the cloud
agendaNi examines typical cloud security concerns and responses, and cloud developments in the public sector.
Security concerns about cloud usage in both the public and private sector remain. Among the main concerns of cloud users, in general, are of potential breaches of security and of privacy laws (possibly inadvertently). Users can feel uncertain over their legal role and that of the cloud provider regarding security responsibilities. It is expected that many companies will opt for hybrid clouds until privacy and compliance aspects of cloud solutions become more commonly embedded.
Access to data and clarity on whether a provider can change (at their discretion) the terms and policies of a service are also considered potential problems. Regulatory worries can arise when a provider hosts personal information for a company in a different jurisdiction to that in which the information was collected.
Cloud-based systems are also vulnerable to cyber attacks. Attacks can be initiated from within the cloud by taking control of or buying a virtual private server (VPS) in a matter of minutes. The purpose is a one-time attack before disposing of the VPS.
Attacks such as cross-site scripting and SQL injection attacks (database attacks through a website) can occur more often with the software as a service model (where the software and data are hosted centrally) due to a user’s interaction with the cloud. The cloud’s resource elasticity, however, is seen by some as ensuring greater resilience to distributed denial of service (DDoS) attacks.
The industry is developing services aimed at improving cloud security, including advanced data encryption security services. The separation of encryption keys (accessible only by the data protector and the customer) from the service provider is seen as providing additional security.
A global collaborative project, supported by multi-nationals, professional organisations, standards setting bodies and others, has produced a ‘common assurance maturity model’. This involves a certification level for cloud providers that can help when selecting a vendor.
Threat information tools are expected to become more popular as they provide pro-active monitoring around cloud environments and on-demand reporting on both compliance and threat levels.
Civil Service adoption of cloud services remains slow in the province. The Protective Marking System (used by government to protect classified information) is one of few pilot projects under way on using commercial cloud services. A Department of Finance and Personnel (DFP) spokeswoman told agendaNi that announcements on this will be made later in the year.
The department is also considering adopting the new version of CloudStore, the UK Government’s cloud computing catalogue, for Northern Ireland’s public sector. Connecting the Civil Service’s networks to the UK Public Services Network, the network over which UK government departments share services, is another possibility.
Separately, DFP’s internal cloud service provider IT Assist is currently conducting a project to develop private cloud infrastructure.
Meanwhile, at EU level, new data protection proposals from Justice Commissioner Viviane Reding cover cloud computing. Data controllers that are not established in the EU and which direct data processing activities regarding EU residents, or monitor their behaviour, will have to appoint a designated representative in the EU. This will apply if they have 250 employees or more and where the company is located in a country with inadequate data protection.
Businesses operating in more than one EU country will only be subject to one national supervisory authority. Reding hopes the proposed Directive and Regulation will be adopted by the European Parliament and European Council by July 2013.
Though the appetite for the cloud is strong, the roll-out of security solutions and stronger data protection laws will remain necessary to assuage the concerns of those yet to embrace the technology.