As we mentioned last week, please find here the continuation of the paper I authored for Microsoft about its approach to security of Cloud offering, including using the Cloud Security Alliance (CSA) Security, Trust & Assurance Registry (STAR).
Let me know what you think!
The Microsoft approach to cloud transparency
Using the Cloud Security Alliance’s Security, Trust & Assurance Registry (STAR)
Part II – Cloud assurance challenges
Having a good grasp of risk management is important in today’s information security and privacy landscape.
When working with cloud computing providers such as Windows Azure and cloud-provided services such as Office 365 and Microsoft Dynamics CRM, it is important to understand that risk assessments need to consider the dynamic nature of cloud computing.
An organization needs to consider performing a full-scope risk assessment that looks at several criteria whenever a new initiative is underway. Cloud computing is no different. Some of the more prominent criteria that typically interest organizations that are considering cloud computing deployments are discussed in the following sections.
There are many security dimensions to consider in cloud computing scenarios.
When evaluating controls in cloud computing, it is important to consider the entire services stack of the cloud service provider. Many different organizations may be involved in providing infrastructure and application services, which increases the risk of misalignment. A disruption of any one layer in the cloud stack, or in the customer- defined last mile of connectivity, could compromise the delivery of the cloud service and have negative impacts. As a result, customers should evaluate how their service provider operates and understand the underlying infrastructure and platforms of the service as well as the actual applications.
Secure data destruction or erasure
Many organizations have policies that require data to be deleted when it is no longer needed, or after a fixed interval. At times, these policies mandate that data deletion be attested to, which may take the form of a statement that the data has been destroyed in a manner that prevents its reconstruction.
Many cloud providers cannot easily attest to such deletion, partially because of the way cloud data is rapidly replicated and relocated on many disk drives, servers, and data centers. Although the assumption may be that such data is overwritten in its “original” or prior location, the possibility frequently exists that a determined forensic process (or attack) could retrieve such data.
Cloud computing in its current multi-tenant form is relatively new, and many deploying organizations are concerned with the maturity of the tools used by providers to host and manage their data.
Microsoft stands out from newer entrants to the market because of its experience in related technology platforms (such as Hotmail®, MSN®, and others), as many as twenty years in some cases.
Beyond the typical risk of data loss on disk drives, the existence of additional tools such as hypervisors, virtual machine managers, new operating and storage environments, and rapidly deployed applications introduce additional stability and redundancy factors that must be included in data loss considerations.