With all the benefits cloud computing can offer an organization come a few concerns that often are not present in traditional computing. For example, one of the strengths of cloud computing is its ability to take data and replicate it across an array of devices to provide backup. This is how a cloud provider achieves availability. An uploaded file may be spread among several storage devices and then backed up to not just several devices within a facility but maybe even to different facilities. When a user requests a file, the file can come from the facility closest to him or her, speeding access.
However, in order to achieve that high-level of availability, cloud providers and consumers must address consistency issues. When a file is updated, there will be a delay to that file being replicated. Many cloud service providers follow what is known as an eventually consistent model, which works exactly like it sounds — eventually all the replicated data will be consistent.
For end-users transitioning to the cloud, this can be different from what they are used to. When a file gets stored on what appears to be a shared network drive, it may not be readily visible to others. While eventually consistent works well for availability, for those transactions where integrity of transactions is much more critical, a different consistency model may need to be explored.
More than anything, the cloud is a shared environment. While cloud technologies go to great lengths to ensure one user cannot gain access to another user’s space, occasionally exploits surface. For example, the Spectre and Meltdown exploits announced in January 2018, take advantage of issues in the physical computer chips on which many cloud services are run. Potentially, such an exploit could allow one malicious user to gain access to the resources of other users sharing the same physical infrastructure.
Below are some additional security issues that are specific to cloud computing.
Unless you are a very large organization, likely you will be contracting with one or possibly several vendors for your cloud services. This raises the issue of vendor lock-in, whether some aspect of a vendor’s environment forces an organization to stick with a vendor. While this may appear to be a financial consideration, it is important to recognize the value of being able to switch cloud providers should some risk be identified.
Service Level Agreements (SLAs)
SLAs specify things like the minimum levels of service, availability, security controls, and processes that a cloud service provider will commit to. Well-defined and adhered-to SLAs are critical to ensuring the security of an organization, and a security professional may at times feel more like an attorney or negotiator when trying to ensure an SLA fully addresses the concerns of his or her organization. The remaining items on this list are all things that can be addressed in an SLA.
The more an organization’s resources, such as its applications and storage, can work across different platforms, the more it will avoid vendor lock-in, ensure availability, and provide the flexibility to move to more secure environments if need be.
Closely related to interoperability, the more an organization’s resources can be ported to different cloud environments, the better it will be able to implement things like a disaster recovery plan and avoid vendor lock-in.
A major risk with moving to cloud environments is that they can be a single point of failure for an organization. Cloud service providers should guarantee a minimum level of uptimes, often measured in “nines.” (For example, 99.99 percent uptime is called “four nines.”).
SLAs should include things like non-disclosure agreements covering employees of a cloud service provider, but in addition, the technical controls used by a cloud service provider should be well-defined and measurable. While ensuring these controls are in place is important for security, it is also important to quantify them so that an organization can continue to execute things like a risk management program.
With a cloud environment, resources are shared, and this raises several concerns regarding privacy standards and regulations.
It is important that a cloud service provider be able to recover quickly from some service disruption in order to fulfill the objectives of an organization’s business continuity plan.
Related to availability, a cloud service provider needs to be able to scale to meet the demands of your organization. One of the risks in a cloud environment is that since you are sharing resources with other organizations, the demands of another client can impact your organization’s resources.
Complementing many of these concerns is the ability of an organization to measure how a cloud service provider meets your organization’s requirements and its obligations in an SLA.