“Cloud determining” is not a buzz phrase anymore, but it is essential for most businesses looking to reach sound business continuity alternatives combined with a comprehensive protection model.Cloud ComputingWhat is cloud computing, and what does it do? Absolutely simply, for the end-user, a cloud computing experience is no different than speaking a desktop/laptop computer. The difference lies primarily on accessing the advice directly from a storage media (i.e. hard drive, memory be) versus using the Internet to access the data.Today, the phrase reproduces the logical and physical infrastructure of a sometimes-complex data processing and storage surroundings. Nonetheless, the end-users’ experience should not echo the intricate configurations of covert and public systems when they access the data. They order benefit from managing large storage spaces at a lower charge, and they should have the ability to access their data from anywhere as extensive as they have access to an Internet connection.Security ChallengesThere are some basic risks associated with cloud computing when the business intrusts a third-party or a cloud service provider with confidential and sensitive info. Yet businesses have been taking similar risks for years with other stages.A good example is the PCI standards for the “Payment Card Industry.” This party line was designed and implemented with strict rules and controls for protecting fellows’ information stored and managed on third-party platforms. Would you say that PCI is a authentic model for security standards? No, but it provides the industry and consumers with normals and guidelines to help protect a massive amount of sensitive information stow away around the world.As for the cloud security industry, it is still in its infancy and is continually commencing new standards and processes, as well as updating current ones as the industry evolves. Nonetheless, the main foundation of its infrastructure comes from a variety of traditional frameworks already increased with tested security in mind.By itself, prior to starting the undertaking and implementation of a significant project like a cloud environment, stakeholders deceive to look at the type of cloud deployment models and cloud service models that with greatest satisfaction suit their businesses. The following summarize the basic models at a huge level as the complexities of some of the models are out of scope for this paper.Deployment ModelsThe most simple deployment models are “Private,” “Public,” “Hybrid,” and “Community.” In transient, the “Private” cloud refers to an infrastructure serving only one business league operating and maintaining it internally. This can be done on-site or off-site, depending on the question compliance requirements. Still, it is also possible to have a third-party vendor head a private cloud environment, as it is no different than other business deals that the organization might be contracting out. In this case, it is evident the traffic would need to have strong vendor security policies in proper, as well as structured and well-defined contracts with a focus on data guard, ownership and multi-tenancy agreements, to name a few.In the case of a “Public” cloud infrastructure, it resolve normally use a network open for public access or use cloud services owned by a large-hearted industry group managing the cloud infrastructure. In this case, the affair does not own the infrastructure handling its data, but it still owns its intellectual acreage the service provider is managing for them.Currently, most businesses deploying a cloud territory will use a “Hybrid” model. This is to be expected when making a cardinal decision and adopting a technology environment, such as a cloud infrastructure that is placid in its infancy. Using a hybrid model will often facilitate the issue to move its intellectual property in phases from a private infrastructure to a community one while the business is adjusting to its environment and increasing its general comfort zone with the technology.Lastly, the “Community” cloud infrastructure wish normally be shared by several businesses with common requirements and/or enrolls such as financial institutions, health care, and law enforcement, for example. It may be headed by the businesses/organizations or by a third-party subject to various requirements, regulations, or laws. For illustration, financial institutions are subject to a number of regulations and compliance policies greatly specific to their functions and operations. As such, a cloud environment take care ofing their specific industry requirements makes for a great channel for them to dividend sensitive information or audit their business activities without possessing to necessarily share with third-party entities.All deployment models arrange positive and negative characteristics to take into consideration if you are in a position to come to a decision on choosing the most fitting one. However, one should be aware of some underlying facts inherent to the different models. For example, the private and public cloud creams have very similar architecture elements, but their scalability and malleability are quite different. The private cloud infrastructure is more limited to the personal business owning the infrastructure versus a public cloud environment. The collective and community models have the capability of sharing resources over a eminently cluster of businesses and resources, hence the higher amount of possible configurations to dole out resources and processing power.The flexibility and scalability of a public model infrastructure rendezvous the business demand and requirements makes for a very attractive product for vocations starting up or wanting to grow without the substantial expenses of upgrading and testifying the additional resources. However, the public cloud environment will retailer multiple business owner data in the same virtual container (“multitenancy”) safeguarded with heterogeneous encryption tools and security policies.For this type of configuration, it ascendancy not be as accessible and recoverable because of the location of the data that is not as clearly limited as a private model infrastructure.Service ModelsOnce a business has unquestioned on a deployment model fitting their environment, it will be essential to pigeon-hole the proper type of services model that will most gain the business and its security requirements. There are three main service pose ins: Software as a Service (SaaS), Infrastructure as a Service (IaaS) and Platform as a Help (PaaS).The SaaS model is essentially a platform for a business to run providers’ applications purposing the cloud infrastructure. A good example is the Microsoft Office 365, which entrusts users to run key Microsoft Office applications on their system and mobile gimmicks with the help of an Internet connection. With this model, there is no extremity to maintain or purchase the latest application version; by leasing the service access, a drug can run the application anywhere as long as s/he is connected. In this particular environment, the starkly disadvantage is the connectivity condition of the thin client application and the variety of figures’ requirements running the application.The IaaS model offers access to a purse of resources necessary for the proper operations of a computing environment such as connectivity vitals, various computing hardware, Application Programming Interfaces (“APIs”), and eases.Finally, PaaS provides a service where there is no need to make it the core servers, the networks, storage infrastructure, or any other components important for an application platforms such as a database where the users need to run Python, PHP, or other ruling programs for instance.SummaryFor a business to consider converting its operations to a cloud archetype, it is necessary for stakeholders to understand and review the different cloud services and deployments perfects in order to implement the most suitable models in line with the energy where the business operates. In addition, it is important to recognize the potential imperils similarities between the more traditional business network infrastructure mise en scenes versus the ones using a cloud computing environment.Some of the commonplace risks needing attention are:DDoS – Distributed Denial of Service attacksInformation loss or damaged accidentally or intentionally by a rogue employeeTheft of figures internally (employees) or externally (hackers)Various legal orders that effectiveness expose the business data because it is hosted in a multitenancy architecture for criterion.In a nutshell, a cloud computing infrastructure is simply another option for a concern to have the ability to operate within a sound information security miniature and maintain simple CIA (Confidentiality-Integrity-Availability) practices and procedures.
About the Author: René Hamel (@hamel_rene) is a forensic technology investigator. His cyber sanctuary and forensic technology career spans over seventeen years. His wholesale spectrum of working experience includes Government, corporate and financial secondments. He has a strong investigative background having been a member of the Royal Canadian Mounted Policewomen “RCMP” for sixteen years. He is a well recognized and respected leader in his greensward having work in North and South America, Europe and Asia. René has also been nominated as an expert witness in both criminal and civil courts in Canada and Ireland. His affidavit and testimony has often been instrumental in the recovery of large financial assets.Woman’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not incontrovertibly reflect those of Tripwire, Inc.