Cloud computing is here to stay: that much is clear. The important thing now is to develop cloud security to meet the demands of a growing market. “Security will always be key, and a major differentiating element among service providers,” says Retzignac. “It is always at the forefront of our decision-making process.”
However, this isn’t a simple matter. “It can be substantially more difficult to understand and deal with the risks of cloud computing than with the traditional integrated models that businesses used to have,” says Sameer Kochhar, a director at LastPass, an online password manager and form filler for secure web browsing and management. “Ten years ago, the cloud phenomenon didn’t exist in the online applications world; businesses were in total control of everything. Now you have little control over how those services are maintained, where the servers are located, how security is audited and other such considerations, making it difficult to quantify the risks.”
A June 2010 report from the IDC entitled ‘Securing Identities is Key to Success in the Cloud’ breaks down cloud computing into three different archetypes or models: Software as a Service (SaaS), Platform as a Service (PaaS) and Infrastructure as a Service (IaaS).
Under the SaaS model, third-party cloud providers deliver a full application service to end-users. PaaS uses a cloud-based infrastructure to deliver customer-based applications, while IaaS enables businesses to deliver their own services by providing them with cloud-based equipment.
The downside of the SaaS model, the most mature of the three, is that you pass the majority of your control over to a service provider. “You need to get the correct assurances about infrastructure security, physical security, access controls, authentication and, importantly, auditing, before entering into a contract,” says Rik Ferguson, Senior Security Advisor at Trend Micro.
Theo Dimitrakos, Head of Security Architectures Research at BT Innovate & Design, agrees that different kinds of cloud services expose different entry points into the cloud provider. He says the ‘Cloud Computing Risk Assessment’ report by the European Network and Information Security Agency and the security guidelines of the Cloud Security Alliance (CSA) give more information on best practice in cloud-based security.