BalajiN.

ITILExpert,InformationSecurityConsultant

OvertheCloud:
AHolisticApproachtoInformationSecurityinCloudEnvironments

Definitions
CloudComputing:thepracticeofusinganetworkofremoteservershostedontheInternettostore,
manage,andprocessdata,ratherthanalocalserverorapersonalcomputer.
Informationsecurity:thepracticeofdefendinginformationfromunauthorizedaccess,use,disclosure,
disruption,modification,perusal,inspection,recordingordestruction.Itisageneraltermthatcanbe
usedregardlessoftheformthedatamaytake(e.g.electronic,physical).

Article:
InformationSecurityhasbecomeanintegralpartoftheInformationTechnologyandtheCompliance
ecosystem.Essentiallyincludesphysicalandlogicalsecurity,ithasgainedmoreimportanceduethe
advancementinnewertechnologiesinhighspeedinternetconnectivity,powerfulgadgetsandeasier
wayofcommunication.Thetechnologicaladvancesarealsobeingusedbyterroristsandantisocial
elementsforoffensiveutilizationagainsthumanity.Terroristandevensomeofthecountriesareusing
technologiestogainpower.
Theorganizationsandcountryadministrations,havetoimplementexcellentinfrastructure(ITandNon
IT)tocombatsuchnegativeforces.Itisnotonlynecessarytouseprocesscapabilities,resourcesand
technologies for fighting with them, it has also become imperative for us to create stronger
environmentstopreventgreaterdamages.Itisalsoimportantfororganizationstocreatealternatives
waystobeabletorecoverthedata&services,incaseofanydamagetotheinfrastructure,duetothe
lapseinsecurity.
Thecurrenttrendsinsecurityindicatethatthesecurityconcernsoftheleadersoverthesharingof
informationovertheinternetishasnotreduced.However,theorganizationsareinclinedtousecloud
environmentstoreducecostsandevenforrecoveringservicesinaDRlikesituations.Severalcloud
serviceprovidersensurethesecuritymeasures,basedontheneedsofthecustomerswiththelatest
implementations, equivalent to the onsite/ customer premises. This ensures confidence of the
customerthatthedataisassecureasathisownpremises.
Thesurveysalsoindicatethecriticalityoftheinsideonrollemployeesinanyorganization,whoare
notonlytheprimaryassetsoftheorganization;butalsoforinformationsecurity.Theybecomethe
highestlevelofrisk,asholdtheaccesscontroltoseveralofcrucialinformationoftheorganization.It
therefore imperative for organizations to use appropriate HR processes to verify and validate the
employeecredentialstothefullestextentpossible.Thiswouldreducealthoughdifficulttomitigate
theinherentrisksduetotheemployees.Thisisirrespectiveoftheemployeesintheorganizationusing
theservices/infrastructurewithintheirpremisesorusingtheservices/infrastructureinanexternal
environment(suchasexternalDatacenters,Cloud,andManagedServicesetc.).Toemphasizefurther,
it is important to realize that the core employees will have the access and control of crucial
organizationaldata,eveniftheservicesareoutsourced(IaaS,PaaS,SaaS)

www.nbalaji.com

BalajiN.

ITILExpert,InformationSecurityConsultant

Fortheconcernedorganizationsitisnecessarytohaveaholisticapproachinmanagingtheriskstothe
information/knowledge,essentialindeliveringcustomercentricservices.Thefollowingarethecritical
riskstheorganizationswouldliketotakecare:

Dataloss/leakage
Sharedtechnologyvulnerabilities
Insecureapplicationinterfaces
Maliciousinsiders
AbuseandnefarioususeofCloudcomputing
Unknownriskprofileandaccount
Account,serviceandtraffichijacking

Conclusion:
AlthoughnewerandspecificproceduresandprocessessuchastheNISTGuidelines(SP500),ISO27017
standardsandCSAGuidelines(STAR)aretobeadoptedbymostoftheorganizations,theyalsoensure
that these implementations are encompassed by reputed standards such as ISO 27001:2013. This
approach not only provides confidence in the minds of their customers, but also ensures that the
managementhasacompleteview&controlofthedeviations&costs,inadditionstomonitorimprove
theabilitytomanageinformation.
Note: All trademarks and intellectual properties are duly acknowledged. CSA, AMPG Cloud
ComputingWhitepaper,NIST,ISO

Abbreviations:
CSA/STAR:CloudSecurityAlliance/Security,Trust&AssuranceRegistry
NIST:NationalInstituteofStandardsandTechnology
ISO:InternationalStandardsOrganization
IaaS,PaaS,SaaS:InfrastructurePlatform,SoftwareasaService

www.nbalaji.com