From the In-Security Land to Security in the Cloud
"This article aims to share with you some thoughts and concepts associated with Cloud Computing and the risks involved for those who want to venture into the benefits it offers" -- Mariano M. Río
"From the In-Security Land to Security in the Cloud" will try to reflect how true it is that the cloud is dangerous or more dangerous than "land" and in turn how much of what is required to the cloud is rarely seen implemented on the ground.
When companies begin their assessment to go to the cloud, the first comments are generally related to the "dangers" associated with privacy and confidentiality of information, the availability of services and other issues that represent the cloud as an undesirable place to visit. This turns out to be real, but as real as could be the situation of exposure of the information in an organization that does not have security program information or at least care with basic information and associated assets.
Now, what is minimally expected from someone who cares about the privacy or confidentiality of information in the cloud is at least that the situation of your organization is better and there have been implemented controls to ensure these principles. Similarly, those aspects associated with the availability of services and issues related to continuity of operations and / or the receipt of information.
What really stands out is that the situation is more close to what they expect from the cloud, and which according to its critical position towards the latter should have on earth. Thus then there are no basic measures such as: an inventory of critical assets of the Organization, the classification of information, risk analysis, continuity of operations plans, product safety checks and risk analysis and surprisingly, the receipt of information. That is, being critical of the cloud does not have a basic security strategy for your organization, but what they expect from the cloud.
However, as has happened with other issues, you can see a global trend migrating to solutions in the cloud, some start with those applications or systems that have little relevance to the operations of the Organization, but hopefully that will quickly migrate more relevant services to reach the critical systems and applications.
What we should keep in mind is that, both the ground and in the cloud, security must be managed, with clear objective of accompanying the business through the changes that occur in the operation. There is no model that does not require management, risk assessment, implementation of controls, monitoring and accountability on the part of those involved. Having said this, then you might think that the real danger is people, in short is the lack of diligence on main risk to which information is displayed, no matter where they are. Do you still think that the management of safety and risk is a purely technological issue? Do we think that in any case the security problems of an organization are the responsibility of the IT area? Cases like Sony, Amazon, Google, DigiNotar, BlackBerry and other serious incidents make clear that security is a fundamental part of any service delivery today. However it doesn't seem that will be willing to assume the cost that could generate. For DigiNotar has been its bankruptcy.
Finally, for those interested in evaluating a solution in the cloud there are many resources available that can make the task much less complex and also with international endorsement, that may require areas to be making decisions. In this sense, you can find material in ENISA, INTECO, NIST, CSA, etc.
The Cloud Security Alliance (CSA) has developed a number of additional documents to the traditional guides that can greatly facilitate the evaluation and subsequent analysis of a solution provider, among which we could find:
• Cloud Control Matrix (CCM).
• Cloud Assessment Initiative (CAI).
• Cloud Security Guidance (CSG).
• Security As a Service (SecaaS).