Cloud Computing - Is your Data at Risk?
Cloud computing is one of the fastest-growing areas in IT. With its growth comes heated discussion about the security aspect of cloud computing in comparison to traditional methods of data storage and access.
In this blog, I outline three types of security risks faced by businesses, summarise Windows Azure Security and explain how Azure has the same level of security risk compared to other systems.
Is there a Security Risk with Cloud Computing?
Yes, but only because every device that works based on the rules of bits and bytes connected to the outside world are vulnerable, or at risk all of the time.
What are the Security Risks?
In general there are three main types of security risks:
This is the core of any IT system security. Hardware and software should be up to date and regularly patched for any vulnerability. The cloud provider should allow users to decide where to keep data based on the regional data protection laws. Cloud infrastructure should be flexible enough to support common data storage formats, so that the user can move data to another provider when needed. The Windows Azure platform fully supports all of the above.
Application related security involves the design of applications and implementing recommended security features, like using authorisation/authentication, secure communication (SSL) between the application and database and also between the end user and the application. The Windows Azure platform itself is running encrypted, but it is always recommended to keep sensitive data encrypted at application level.
End User Related
User related security risks exist in all types of systems regardless of whether it is cloud based or not. Proper education and procedures are the only option.
Cloud providers not disclosing what type of infrastructure related security systems they are implementing, provides a level of protection as an attacker is always in the dark about the counter measures in place. Most cloud providers do not accept full responsibility of data loss due to an attack, but it is logical to think that they will maintain maximum level of security as their goodwill is dependent on security.
Windows Azure Security
Platform security is more important than application security. Windows Azure has completed SAS 70, Type II audit and has FISMA and ISO 27001 certification. ISO 27001 audits are focused specifically on security practices instead of a general audit of the procedures in place.
Accessing Windows Azure databases involves a two-step procedure; the first step is to give authorisation for a computer IP to access Azure databases, and the second step is the authentication. This prevents unauthorised access to the database systems. Data stored on the platform is encrypted within Windows Azure, so even a breach of their security systems does not make data stored by your application available. Each customer’s data is logically separated onto a different (virtual) volume so it is difficult to access another customer’s data. Also data can be replicated at several locations so catastrophic failure does not imply data loss; it is also possible to restrict the geographic location of your data to comply with potential import/export regulations that the data may fall under. Again, physical access is restricted to their data centres and redundant network and power systems minimise the likelihood of intermittent failures.
What we Learned
In terms of security, cloud computing is not too far away from the in house/third party datacentre methods. In general it has only the same level of security risk compared to other systems. When we consider Microsoft Azure cloud offerings, customers are assured they get the best as per the industry standards, with regard to security and survivability of data.
To know more about how Microsoft Azure Security can be mapped to the Cloud Security Alliance Cloud Control Matrix (CCM) recommendations, visit https://www.windowsazure.com/en-us/support/trust-center/security/
For a detailed analysis of on premises and cloud related security issue, visit http://www.alertlogic.com/wp-content/uploads/alertlogic%20state%20of%20cloud%20security%20spring2012.pdf