The course is part of this learning path
This module focuses on the business implications of the cloud by looking at the cost considerations, the important security and legal factors and the implications for people management.
The objectives of this course are to provide you with and understanding of:
- The key cost and cost-management implications of cloud services.
- The important implications for organizations in relation to contracts, strategy, structures and personnel.
- The opportunities for organizations in deploying cloud services in relation to managing people, staff development and mobility.
The course is aimed at anybody who needs a basic understanding of what the cloud is, how it works and the important considerations for using it.
Although not essential, before you complete this course it would be helpful if you have a basic understanding of server hardware components and what a data center is.
We welcome all feedback and suggestions - please contact us at email@example.com to let us know what you think.
Cloud security is a shared responsibility between the service provider who’s accountable for the ‘security of the cloud’ and the customer organization who’s accountable for the ‘security in the cloud’.
It’s logical that, before organizations move all or part of their IT services into the cloud, they’re confident in the security arrangements. These can be affected by the infrastructure they’re using, how their systems are accessed and how their data is handled. So, the cloud provider must provide assurance and certifications to prove how they enforce security, and the customer organization then needs to implement appropriate security measures and processes.
Security of the cloud
This is down to the cloud provider, and will be supported by agreements with the organization and the relevant laws of the region the cloud services are being provided in. We’ll take a look here at some of the important considerations, like compliance controls, infrastructure controls and data integrity.
Compliance controls (and a bit about the law)
Legislation governing IT provision is relevant regardless of whether services are in the cloud or provided through an in-house infrastructure. Either way, the systems are likely to have been audited to check the IT infrastructure is compliant with security and data protection laws.
With cloud services, the provider is accountable for meeting some of these legal requirements, specifically the elements geared toward physical access to the infrastructure. Cloud providers must adhere to many worldwide compliance regulations – here are a few of the major ones:
Health Insurance Portability and Accountability Act (HIPAA)
HIPAA was passed to protect the private health information collected by health companies in the United States. It sets national standards for the security of electronic protected health information and, under its privacy rule, an organization can’t disclose protected health information unless authorized in writing by the individual affected.
HIPAA’s Security Rule deals specifically with Electronic Protected Health Information – or EPHI. It has three types of security safeguards required for compliance – administrative, physical, and technical, so is highly relevant for cloud service providers.
General Data Protection Regulations (GDPR)
This is now the primary data protection legislation in the UK – implemented through the Data Protection Act – and relates to data collected and stored for people anywhere in the European Union. GDPR identifies different data roles, including the data subject (the persons whose data’s being stored), the data controller (the organization who decides how the data will be processed) and the data processor, which includes cloud providers.
It introduces the concept of ‘data protection by design and default’ and protects the individual through seven data protection principles, including purpose limitation, data minimization, accuracy of data, storage time limitations, and integrity and confidentiality.
Payment Card Industry Data Security Standard (PCI-DSS)
This was jointly developed by Visa and MasterCard to simplify compliance for merchants and payment processors. It has six core areas and 12 requirements that cover best practices for perimeter security, data privacy and layered security.
International Standards Organization (ISO)
ISO is an international body which provides world class specifications for the quality, safety and efficiency of products, services and systems. As standards, they aren’t legal requirements, but provide re-assurance to organizations that their cloud provider meets a high level of compliance in key areas. An example of an ISO standard relevant to IT is ISO/IEC 27001 Information Security Management.
If the IT infrastructure is provided in-house, the organization may have been audited by an external body to check compliance against security and data protection, or controls surrounding PCI DSS or ISO, for example.
Some responsibility for these compliance controls can now be passed over to the cloud provider, specifically things geared towards physical access to the infrastructure.
So, whilst the organization using the cloud is responsible for specific compliance controls and processes, the cloud provider will offer services and features to help monitor the system configuration for compliance. The provider will also closely monitor access to their system through the network for unusual patterns of behavior, blacklisted source addresses and known attack vectors.
Although the use of a common infrastructure is one of the things that helps keep the cost of cloud services down, it also presents a potential security risk. If services or data are highly sensitive, the organization may prefer to have dedicated hosts and tenancy, meaning that no other customer could store data on the same physical host. This is clearly a more expensive option.
The security applied on shared hosts is extremely high and operates at a number of different layers in the host and the hypervisor.
Data integrity and durability
Cloud providers offer a number of features to maintain the security and integrity of the data they process. These include:
Enforcing https-based communication so data is encrypted in transit. This means the cloud provider will provide data transfer appliances with multiple security features for the organization to fill with data which is then encrypted and securely transported back to the cloud provider;
Configuring communications between the virtual machines running in the cloud to use Transport Layer Security, or TLS; a widely adopted security protocol designed to facilitate privacy and data security over the Internet;
Using server-side encryption, or SSE, to support the encryption of data when it’s being stored. They use what are known as ‘key hierarchies’ to do this so that, even if somebody was to gain access to the physical media storing an organization’s data, they won’t be able to get to the master key that’s required to decrypt it because it’s stored somewhere else;
Fine-grained access controls which require authorization for users to access data. Organizations can control who can access data stored in their storage services; and
Object versioning which enables versioning on storage services. This means a malicious or accidental overwrite or deletion can be ‘rolled back’ to the previous version.
When an organization uploads something to the cloud, multiple copies of the resource are placed into multiple storage servers in multiple physical locations. This ensures a high degree of durability, and recovering data if something fails with the storage systems is fairly easy. Most cloud providers state 99.999999999% - known as ‘eleven nines’ – durability of their storage service which means if you stored ten million objects for ten thousand years, they might lose one of them!
Security in the cloud
Whilst the cloud provider is accountable for many aspects of security – after all, that’s about the integrity of their business – these don’t entirely replace the accountability of the customer organization. Customers also have responsibilities through the laws we looked at earlier as well as other management and governance requirements for security in the cloud.
Identity and access controls
These control exactly what users can do with each resource, at which times and under what circumstances.
Cloud service providers will offer a mechanism for integrating an organization’s existing authentication mechanisms with their own to avoid duplicate effort. However, they must implement processes and guidelines that follow the principal of least privilege in the same way as an organization would for an in-house IT infrastructure. This means limiting access rights for users to the bare minimum they need to perform their work.
Contracts and SLAs
Organizations will often rely on cloud services to run their business and interact directly with their customers so contracts will need to cover a number of important areas to safeguard the organization. These include:
Ensuring the public cloud services don’t negatively affect the service level agreement with their customers;
Agreeing the resiliency of the service, especially as the resolution of issues are out of the organization’s control;
Agreeing the service level agreement – or SLA – with the cloud provider. This should cover important areas like the availability of the service, the capacity of the resources used and specific timescales and actions for issue resolution.
In many cases, the cloud supplier will have standard SLAs which they can change when they like – the services they offer change, and so to keep up, so will the SLA. If the customer organization doesn’t think the SLAs support their contractual agreements, they might need to architect their systems to be more fault tolerant and be supported by new SLAs. However, this is likely to cost more for the additional resources, so it’s a case of balancing infrastructure and service requirements with security and continuity requirements.
There’s more information about the legal side of things in the ‘Laws Governing Cloud Computing’ guide. You’ll find the link in the Cloud Literacy Resources.
Daniel Ives has worked in the IT industry since leaving university in 1992, holding roles including support, analysis, development, project management and training. He has worked predominantly with Windows and uses a variety of programming languages and databases.
Daniel has been training full-time since 2001 and with QA since the beginning of 2006.
Daniel has been involved in the creation of numerous courses, the tailoring of courses and the design and delivery of graduate training programs for companies in the logistics, finance and public sectors.
Previous major projects with QA include Visual Studio pre-release events around Europe on behalf of Microsoft, providing input and advice to Microsoft at the beta stage of development of several of their .NET courses.
In industry, Daniel was involved in the manufacturing and logistics areas. He built a computer simulation of a £20million manufacturing plant during construction to assist in equipment purchasing decisions and chaired a performance measurement and enhancement project which resulted in a 2% improvement in delivery performance (on time and in full).