Cloud Security guidelines
Security reservations while working with cloud computing is nearly similar to those we were facing in legacy IT infrastructure services. Businesses particularly banking sector often raise security concerns with cloud. As per their opinion, it seems that organizational assets which are placed in cloud data centers, is in under external control, i.e. by cloud providers. Due to this, it is common assumption that service providers are able enough to make some changes in organizational data, and can perform some illegal or unethical activities with their assets.
But after the consortium of Open API working groups , including Cipher Cloud and CSA , the factor over which security concerns exists , which was based commonly on two factors , data storage and data communication , is getting minimized . Consortium will deliver guideline which will be vendor-neutral. Data security rules implementation will help those industries which are still not thinking to adopt cloud services.
The working Groups are constantly working to offer techniques for those organizations to put their data into sophisticated and complete secure cloud model, the group comprises of Cloud Security Alliance (CSA) is doing at their best to deliver us a Cloud Controls Matrix (CCM) program, includes a provider self-assessment program, Consensus Assessment Initiative (CAI), Certificate of Cloud Security Knowledge (CCSK), and a trust and assurance registry (STARS).
The guidelines defined by CSA STAR are as follows:
- Execution of Effective governance assurance along with risk and compliance processes.
- In case of IaaS, Customer will be accountable for deployment of the complete stack of software which includes OS, middleware and application, with all security measures and patches.
- Audit, authentication and authorization of all processes, covers administrative and operational processes.
- In case of PaaS, customer must have sufficient information to access their data individually with administrative access.
- People and their identities should be managed along with their role description.
- Maintain appropriate data encryption standards with information piracy. Enforce the privacy policies.
- Implementation of policies to restrict access on cloud applications to avoid anonymous or control guest access.
- Assurance of networks security, which is almost resolved after the adoption of SDN.
- Taking security measures to control physical infrastructure and facilities , i.e. implementation of biometric systems is essential
- Service level agreements (SLA).
As SaaS is preferably improving the human efficiency by transformation of business process with the help of broad range of enterprise virtualized applications over the Internet. It gathers, process and store user-specific data, by eliminating the requirement of any technical resource. As it helps business to work over the internet; clearly it demands much more security and reliability.
- So, In case of SaaS, usually security policy constraints are the responsibility of the provider which depend on SLA. The customer must have guarantee that SLA terms meet their confidentiality, integrity and accessibility needs.
- The customer might not aware of the location and format of the data storage. But it is important for customer that he must have ample information about provider’s patching schedule, malware controls and update release cycle etc.
- Inception of policies implementation to classify unexpected spikes and decrease user’s load on the application.
- The customer should have sufficient knowledge about the data encryption standards and its protection.