Cloud shared considerations need to be coordinated and implemented consistently across an organization’s cloud computing ecosystem. Responsibility for addressing these are shared issues across all actors/roles, activities, and components.
Cloud Computing Shared Responsibility Model
Security of cloud data and applications is a responsibility that is shared between the cloud service provider and the cloud service consumer. An easy way to portray the responsibility boundary is that:
- The CSP has responsibility for “security of the cloud”
- The customer has responsibility for “security in the cloud”
“Of the cloud” security describes the task of protecting the cloud infrastructure. This includes both the physical and logical protection of hardware, software, networking, and facilities that run the cloud services.
“In the cloud” security responsibilities are dictated by the specific cloud service(s) consumed by the customer. Those responsibilities include service configuration and management tasks, management of the guest operating system (including updates and security patches), any application software or utilities installed by the customer on compute instances, and the configuration of the ACSP provided firewalls on each instance. Based on service model consumed an illustrative example is as below:
Below are the key consideration which directly influence the Cloud Computing Shared Responsibility Model.
Auditability relies on a single key component: evidence. Think of the auditor coming in with their checklist and questions—that is the same mindset that your organization or entity should take to ensure that you always have a comfort with and positive understanding of your ability to audit and measure actions against requirements. Systems and processes will fail, so wherever possible, auditing and auditability should provide enough information, details, and evidence to support reviews and investigations. The ability to point to audit results, findings, and relevant evidence has not only saved jobs and companies from catastrophic impacts, but also has given leaders the facts and reports they need to alter business processes, system functions, and personnel activities and to implement increased safeguards such as defense in depth or additional layers of security and risk management.
Systems and resource availability define the success or failure of a cloud-based service. Availability is a single point of failure for cloud-based services. If the service or cloud deployment loses availability, the customer is unable to access their target assets or resources, resulting in downtime. In many cases, cloud providers are required to provide upwards of 99.99 percent availability as per the service-level agreement. Failure to do so can result in penalties, reimbursement of fees, loss of customers, loss of confidence, and ultimately brand and reputational damage.
Regulatory compliance is an organization’s requirement to adhere to relevant laws, regulations, guidelines, and specifications relevant to its business, specifically dictated by the nature of operations and functions it provides to its customers. Where the organization fails to meet, or violates, regulatory compliance regulations, punishment can include legal actions, fines, and in limited cases, halting business operations or practices. Key areas that are often included in cloud-based environments include (but are not limited to), Payment Card Industry Data Security Standard (PCI DSS), Health Insurance Portability and Accountability Act (HIPAA), the Federal Information Security Management Act (FISMA), and the Sarbanes–Oxley Act (SOX).
The term “governance” when relating to processes and decisions, refers to defining actions, assigning responsibilities, and verifying performance. The same can be said and adopted for cloud services and environments where the goal is to secure applications and data when in transit and at rest. In many cases, cloud governance is an extension of existing organizational or traditional business process governance, with a slightly altered risk and controls landscape. While governance is required from the commencement of a cloud strategy or cloud migration roadmap, it is seen as a recurring activity and should be performed on an ongoing basis. A key benefit of many cloud-based services is the ability to access relevant reporting, metrics, and up-to-date statistics related to usage, actions, activities, downtime, outages, updates, etc. This may enhance and streamline the governance and oversight activities with the addition of scheduled and automated reporting available.
NOTE: Processes, procedures, and activities may require revision after migration or movement to a cloud-based environment. Not all processes remain the same. Segregation of duties, reporting, and incident management are examples of processes that may require revision after cloud migration.
Interoperability is the requirement for the components of cloud ecosystems to work together to achieve their intended result. In a cloud computing ecosystem, the components may well come from different sources, both cloud and traditional, both public and private cloud implementation (known as hybrid cloud). Interoperability mandates that those components should be replaceable by new or different components from different providers and continue to work, as should the exchange of data between systems. In summary, if your car engine fails, you should be able to replace the engine with the same brand or type of engine, or alternatively look for another engine that will provide the same level of power and function to allow the car to continue to operate. Interoperability uses the same premise: continued availability of services, regardless of providers or cloud components.
Maintenance and Versioning
Maintenance refers to changes to a cloud service or the resources it uses to fix faults or to upgrade or extend capabilities for business reasons. Versioning implies the appropriate labeling of a service so that it is clear to the cloud service customer that a particular version is in use.
Cloud computing and high performance should always go hand in hand. Let’s face it—if the performance is poor, you may not be a customer for very long. For the best experience using cloud services, the provisioning, elasticity, and other associated components should always focus on performance. If you wish to travel by boat, the speed at which you can travel is dependent on the engine and the boat design. The same applies for performance, which always should be focused on the network, the compute, the storage, and the data. With these four elements influencing the design, integration, and development activities, performance should be boosted and enhanced throughout. Remember, it is always harder to refine and amend performance once design and development have been completed.
Portability defines the ease with which application components are moved and reused elsewhere regardless of the provider, platform, OS, infrastructure, location, storage, format of data, or APIs. Portability is a key aspect to consider when selecting cloud providers, since it can both help prevent vendor lock-in and deliver business benefits by allowing identical cloud deployments to occur in different cloud provider solutions, either for the purposes of disaster recovery or for the global deployment of a distributed single solution. Again, think of car components. Light bulbs, brakes, and other standard components could be switched out, yet the car would continue to function.
In the world of cloud computing, privacy presents a major challenge for both customers and providers alike. The reason for this is simple: no uniform or international privacy directives, laws, regulations, or controls exist, leading to a separate, disparate, and segmented mesh of laws and regulations being applicable, depending on the geographic location where the information may reside (data at rest) or be transmitted (data in transit). Given the true global nature and various international locations of cloud-computing data centers, this could mean that your organization’s data could reside in two, three, or more locations around the world at any given time. For many European entities and organizations, this violates European Union (EU) Data Protection laws and obligations, which could lead to various issues and implications. Within Europe, privacy is seen as a human right, and as such should be treated with the utmost respect. Not bypassing the various state laws across the United States and other geographic locations requires an extremely complex and intricate level of knowledge and controls to ensure that no such violations or breaches of privacy and data protection occur.
There are many different regulations that may influence the use and delivery of cloud services. Statutory, regulatory, and legal requirements vary by market sector and jurisdiction, and they can change the responsibilities of both cloud service customers and cloud service providers. Compliance with such requirements is often related to governance and risk management activities.
Cloud resiliency represents the ability of a cloud services data center and its associated components, including servers, storage, etc., to continue operating in the event of a disruption, which may be equipment failure, power outage, or a natural disaster. Given that most cloud providers have a significantly higher number of devices and redundancies in place than a standard “in-house” IT team, cloud resiliency should typically be far higher, with equipment and capabilities ready to failover, multiple layers of redundancy, and enhanced exercises to test such capabilities.
Reversibility is a process for the cloud service customer to retrieve their cloud service customer data and application artefacts, and for the cloud service provider to delete all cloud service customer data and contractually specified cloud service derived data after an agreed period.
For many customers and potential cloud users, security remains the single biggest concern, with as many as 60 percent of business users stating that security concerns are the number one restriction or barrier preventing them from engaging with cloud services. As with any successful security program, the ability to measure, obtain assurance, and integrate contractual obligations to minimum levels of security are key. Many cloud providers now list their typical or minimum levels of security but will not list or publicly state specific security controls (for fear of their infrastructures being targeted by attack vectors and threats). When contracts and engagements require specific security controls and techniques to be applied, these are typically seen as “extras” that will incur additional costs and require the relevant nondisclosure agreements (NDAs) to be completed before engaging in active discussions. In many cases, for smaller organizations, a move to cloud-based services will significantly enhance their security controls, given that they may not have access to or possess the relevant security capabilities of a large-scale cloud-computing provider. The general rule of thumb for security controls and requirements in cloud-based environments is “If you want additional security, additional cost will be incurred.” You can have whatever you want when it comes to cloud security—just as long you as you can find the right provider and you are willing to pay for it!
Service Levels and Service-Level Agreements (SLAs)
The cloud computing service-level agreement (cloud SLA) is a service-level agreement between a cloud service provider and a cloud service customer based on a taxonomy of cloud computing–specific terms to set the quality of the cloud services delivered. It characterizes quality of the cloud services delivered in terms of a set of measurable properties specific to cloud computing (business and technical) and a given set of cloud computing roles (cloud service customer, cloud service provider, and related sub-roles).