Nick Coblentz: Create a Security Strategy Before Utilizing Cloud Computing

Cloud computing providers such as Amazon EC2/S3, Microsoft Azure, or Google AppEngine offer pay-as-you-go services for hosting data, applications, servers, or entire data centers using the provider’s infrastructure. Cloud computing enables customers to scale resources up or down based on demand. This allows large retail web sites like Target.com handle an exponential growth in web traffic during “Black Friday” sales without wasting money on additional hardware that will only be used a few times a year.

Cloud computing resources are said to be elastic in that the customer can instantiate 5,000 machines within the cloud and only use (and pay for) the resources for two hours. HIPAA-compliant companies like TC3 Health use this strategy for processing months or years worth of healthcare claims in a short period of time.

Cloud storage can be leveraged to store large amounts of data in a highly available, globally accessible, fault tolerant manner. These benefits lead Nasdaq to add 30 to 80 gigabytes of data to Amazon’s S3 storage daily.

Cloud service providers like Amazon are partnering with big technology players like IBM, Oracle, Sun, and RedHat to appeal to enterprise clients. Experts predict that as offerings and underlying technologies mature, Fortune 500 companies will soon incorporate cloud computing into their business and IT strategy.

Companies who wish to adopt cloud computing should identify how their risk profile will change after moving from a traditional data center to a virtual one. Examples of security and compliance risks companies should address before adopting cloud computing are listed below. There are a large number of business risks to consider as well. The list below does not include any business risks.

Compliance – When processing or storing credit card, banking, healthcare, or personally identifiable information within the cloud, organizations should create a strategy for ensuring the virtual implementation and the service provider will be compliant with relevant regulatory requirements or security standards.
Application Layer Security – Organizations should assess whether new vulnerabilities related to accessing cloud storage, cloud databases (Amazon’s simpleDB, Google’s BigTable, or Microsoft’s SQL Data Services), or other technologies have been introduced into application code.
Operational Security – A documented set of policies should be created regarding the use and management of cloud computing resources. For example, most cloud computing providers utilize a single set of credentials for making changes to the virtual data center. Organizations should not provide these credentials to every data center administrator nor should changes be made without proper approval. In addition, organizations should discuss the service provider’s operation security policies to ensure an appropriate level of assurance is provided.
Incident Response – Organizations should identify a strategy for performing incident response within the cloud. This may require cooperation from the cloud computing service provider, or a custom incident response machine image for services like Amazon EC2 or GoGrid.