Mark: Welcome back to our session on cloud computing, where we'll talk about what cloud computing is, the threats and vulnerabilities to cloud computing. We'll also talk about how to defend against it and what the feature is, and we'll talk about the Cloud Security Alliance. So, I'm joined with Dave Doody, my-, an expert. Dave, can you just explain a bit about what cloud computing is? 

Dave: Cloud computing is effectively using a virtual environment. So, you're moving away from a physical server, a physical switch, router that you may have within your own business property and using a third-party supplier over the internet. So, you're going to be using their platforms, their programmes, their applications, in order to deliver the service that you used to do in the old-fashioned physical network. 

Mark: So, then we have something like, what? Public and Private clouds? 

Dave: Yeah. So, what we have, we have sort of three levels of service that a cloud provider will provide, and that is starting off with the very very basic, the Infrastructure as a Service. Now, that model is, the cloud provider will provide you, as the term says, infrastructure; the basics network on which to work. As a user, you will build what you need onto that infrastructure. So, you have an awful lot of responsibility compared to the cloud user. Now, the next one up is the Platform as a Service, okay? And on this one, what we have is the cloud provider will provide you with the infrastructure, and they will provide you with a platform for-, you know, so you can now place your applications onto those platform and utilise that. And then the next level up, the top end of the service that we-, the cloud users have is the Software as a Service. And the software as a service is an example Microsoft Office 365. As they will provide you with the infrastructure, the platform, and all of the software. So, all you have to do as a user is look after the data that is being input into the-, into the cloud. 

On top of that, we have different types of cloud. The very very simple one is the Public cloud. Public cloud, Apple. Buy an Apple phone, you get five gigs of storage space on their platform. So, you are sharing a server with many many many thousands, you know, of people, all on the same, you know equipment. Then, we have Private cloud. Private is very more-, is more secure. So, we have a server all to yourself, or to an organisation. Nobody else shares that server. And that's going to be either in your own environment, in your own premises, or on the cloud service provider's premises. And then the other one we have is a Community cloud. And the community is people of like-minded sense, same interests, sharing a cloud platform. And an example of that would be the Formula 1 racing teams. They all register into the FIA, and they share the FIA's platform because they'll all want to know about the laws, regulations, relating to, you know, Formula 1 racing. But, they can then have their own Private cloud for each team. 

Mark: So, then we move into threats and vulnerabilities to the cloud computing. So, what do you-, what do you think they are then? 

Dave: So, the threats. If we keep it simple, threats and the vulnerabilities to the cloud is, how do we get the data from your premise to wherever it needs to be stored and processed on-, in the cloud? And what we can say is, if it happens in the real world, in the physical world, it can also happen in the virtual world. Just because it's now technical, it's-, you know, it does not go away. We have to think about how that data is moved, who has access to it, how is it processed, how is it distributed, and so on. 

Mark: So, this feeds into the legislation stuff that we've, previous-, mentioned before in previous sessions. So, GDPR, Data Protection Act. 

Dave: Yes, every data-, every cloud provider, and their data centres, wherever they may be located in the world, they have to think about the laws of the land in which they serve and live. So, and if they were providing the service for a customer outside of that, they also have to adhere to the laws that you know, that the user is-, has to follow. So, you'll find that cloud service providers and their data centres are extremely secure and very very strong security is used. People would say military-grade security. And they will be certified across the board for all different regulations, laws and standards that are required for different individual, you know, employment and grounds. 

Mark: That's right. So, we had, obviously, Edward Snowden, insider threat, which had an impact on the cloud, and he even mentioned in his discussions about cloud and vulnerabilities. So, so, Dave, how do we defend against attacks against cloud computing? 

Dave: So, we can defend against attacks is-, start thinking about awareness programmes. Telling people what they can and can't do, how things should be handled, doing background checks on the staff and on the cloud service providers, and also making sure you have policies, processes, procedures in place, and making sure that you are adhering to the laws of whatever-, and the regulations and the standard bodies that you have to adhere to. 

Mark: So, if I was-, if we were looking to adopt some-, a cloud provider, Cloud Security Alliance, what sort of-, type of things would we need to look at? And what would the Cloud Security Alliance help you with? 

Dave: So, the Cloud Security Alliance, they have set a framework. It's a-, it's a nice framework that you can follow. So, it dictates to some extent, to the cloud provider, what is their security? What are they responsible for? And how they, you know, can deliver it. But, at the same time, it's also giving guidance to the user on what they should be looking for. What should they expect of the cloud provider? And also, what are their-, what are they accountable for, and their actions and the responsibilities? It's not always, as some people think, the responsibility of the cloud provider to provide 100% security. 

Mark: Yeah. Well, thank you very much for that. So, we've covered in this module, specifically, talked about what cloud computing is, and we've looked at the threats and vulnerabilities, how to defend against, and also looked at potentially adopting the cloud security model in terms of what we are getting. So, I appreciate this discussion we've had today, so thank you very much, thank you. 

Dave: Okay, thank you very much, Mark.