Cloud computing is becoming a real trend in today.s business world. Businesses are increasingly opting for cloud based applications for their business needs. Various security aspects need to be assessed before considering a cloud application.
A recent application I have reviewed offers a financial management solution. The solution is hosted at a webhosting provider which offers a cloud servers as part of its offering. So the scenario is summarized as this:
- Vendor A offers a cloud application
- The application is hosted in a cloud server instance of a cloud service provider (Vendor B)
- Vendor A is a customer of Vendor B, one among many customers of Vendor B
- Vendor A shares the hardware infrastructure of Vendor B along with other customers, which includes the storage including backup, CPU, Memory etc.
- The real customer of Vendor A have their data being hosted at this shared storage space of Vendor B, which again is shared with the other customers of Vendor A. It would be safe to assume that there would enough controls in a normal scenario to have the data segregation established between the customer environments within the Vendor A clouds.
Now let us look into various cloud data security scenario.s a company will face in the above cloud hosting environment
- Data backup, once taken, is not under the custody of the application service provider, but with the cloud hosting provider
- Any failure of cloud storage devices, will potentially lead to data leakage as the cloud service provider will tend to replace the storage hardware.
- Most of the system administrators of the cloud service providers can have access to your data if the system administration is allowed by them. For example, managed services offered by the cloud service providers requires administration of the cloud instances by the cloud service providers administrators
- Web application security is another key issue to be looked into. Most of the cloud hosting’s are not secure cloud hosting in its default or many times in the advanced mode. Many of today.s attacks are web application attacks resulting in numerous data loss. Web Application Firewalls are an important piece of solution required to protect critical web applications. None of the cloud service providers offers web application firewall
- IPS & Firewall are two other pieces of network security. Cloud service providers find it difficult to offer IPS and Firewall for selected clients and hence it is not a standard offering by many of the top cloud service providers
From the above, it is very evident that the Cloud Applications offered as a SaaS are not very secure if the cloud infrastructure is not managed by the SaaS vendor. In the new business models, the SaaS providers often choose a Infrastructure as a Service (IaaS) vendor for the infrastructure needs. The IT control and governance environment become very weak in this kind of business models.
I would not bet on a public cloud infrastructure if I have critical customer data to be stored and processed. what are your views on this?