Security and the cloud: Since this is a certification exam on security and not just on memorization of cloud-based terminology, it is important to recognize the security issues associated with cloud computing. Two you should know for the exam are multitenancy and laws and regulations:
Multitenancy: One of the ways cloud computing is able to obtain cost efficiencies is by putting data from various clients on the same machines.
This “multitenant” nature means that workloads from different clients can be on the same system, and a flaw in implementation could compromise security.
In theory, a security incident could originate with another customer at the cloud provider and bleed over into your data. Because of this, data needs to be protected from other cloud consumers and from the cloud providers as well.
Laws and Regulations: The consumers retain the ultimate responsibility for compliance.
The main issue centers on the risks associated with moving important applications or data from within the confines of the organization’s computing center to that of another organization (i.e., a public cloud), which is readily available for use by the general public.
The responsibilities of both the organization and the cloud provider vary depending on the service model.
Reducing cost and increasing efficiency are primary motivations for moving towards a public cloud, but relinquishing responsibility for security should not be.
Ultimately, the organization is accountable for the choice of public cloud and the security and privacy of the outsourced service.
National Institute of Standards and Technology, Special Publication 800-144
Cloud computing holds great promise when it comes to scalability, cost savings, rapid deployment, and empowerment.
As with any technology where so much is removed from your control, through, risks are involved. Each risks should be considered carefully in order to identify ways to help mitigate it. Data segregation, for example, can help reduce some of the risks associated with multitenancy.
Software and services are necessary for the implementation should be removed or at least disabled. Patches and firmware updates should be kept current, and log files should be carefully monitored.
You should find the vulnerabilities in the implementation before others do and work with your service provider(s) to close any holes.
When it comes to data storage on the cloud, encryption is one of the best ways to protect it (keeping it from being of value to unauthorized parties), and VPN routing and forwarding can help.
Backups should be performed regularly (and encrypted and stored in safe locations), and access control should be a priority.
NOTE: For a good discussion of cloud computing and data protection, visit http://whoswholegal.com/news/features/article/18246/cloud-computing-data-protection.