How can one keep data secure with cloud computing
A large company is working on a new project that requires
cloud computing. If they utilize their private network they can reasonably
assume their data to be secure, given that all protocols with remote access are
followed or the private network does not allow remote access.
Software/Hardware used:
Software/Hardware used:
ASKED:
February 9, 2010 8:21 PM
UPDATED:
December 16, 2011 7:04 PM
Answer Wiki:
When you store data in a 3rd parties cloud you have to assume that the Cloud provider (Microsoft, Amazon, RackSpace, etc) will keep your data secure. If you need to be sure that your data is secure, then a Cloud platform may not be the correct choice.
-MrDenny
----
It really depends on the application. I was at a cloud computing user group meeting recently and asked around about this same question.
For some uses, attendees suggested, you can just encrypt everything, and use it as a storage-as-a-service. In other cases, more and more vendors are letting customers deep dive into facilities and to see exactly how the data is being secured. It's never absolute, but then again, security never is. Just have to determine the acceptable risk and work from there. The Microsoft, Amazon, RackSpace's of the world likely won't give you this "inner" peak, but often smaller vendors will.
-Michael
Federated Identity Management, Proper Encryption techniques with Key Management for Data, Network Security measures, Virtualization Security and Physical Security are main areas while considering Cloud Computing.
-Mitesh
To see all answers submitted to the Answer Wiki: View Answer History.
Thank you both for answering. Please do not mind if I play devil’s advocate.
If a company was to encrypt everything, would not the computers performing the cloud computations need to have the encryption key to work with the data? If that was the case then the red data (unencrypted) would be available again with the usage of black data (encrypted) only present in transmission.
On that same note, do either of you (or anyone else for that matter) know if when creating a cloud computing agreement (I am not sure what else to call it) a company can hold the provider accountable for security breaches? I can imagine a situation where when a company seeks a cloud provider, a hardware encryption method is introduced between sites and the cloud provider only works with the information in a filtered facility.
You are correct to say security is not absolute. I can only hope that encryption methods supersede that of people who will eventually have THz processors.
Security involves confidentiality, integrity and availability. This last principle could be improved with a cloud service, because most providers will have your data available in more than one physical place in case of any incident with one of them.
Also, I would assume most providers will have a dedicated team of security experts, which could not be the case in all companies, but you would have to trust them, and that is not always easy (and recommendable). On the other hand, the provider could want to charge you for additional security services, which are probably not included by default.
In the storage-as-a-service mentioned by Michael, I think the encription keys don’t have to be shared with the provider, because they are not processing the data, just storing it.
Also, cloud providers will be an attractive target for hackers for sure.
So, I agree with MrDenny. If you want to be sure that your data is secure (and you have the necessary resources and budget to do it by your own), then a cloude service may not be the best choice.