Some of the scenarios of security that Nimbus would encounter, having adopted cloud computing, would be: – Availability/Reliability – Amazon Web Services.

Some of the scenarios of security that Nimbus would encounter, having adopted cloud computing, would be:

– Availability/Reliability – Amazon Web Services or Force.com could have outages that render Nimbus ＇ marketing application unusable.– Data isolation/multi-tenancy (租佃 ) – cloud providers, especially the SaaS vendors, enable multi-tenancy in their environment. This could lead to data isolation issues unless secured with proper access controls. Nimbus could have its data exposed to another client of Birst if the right controls are not place.

5.3 Deep Dive: Security Standards

– Data ownership (所有權 ) – ideally Nimbus should own the data even if it resides with the cloud provider. However, the cloud provider also has access and cloud take ownership of some of the derived data such as platform usage patterns. This needs to be clarified between the parities.– Trust – the relationship between Nimbus and the cloud provider runs on trust. Nimbus cloud have performed audits or been shown audit reports of, say, Amazon’s environment, but it is a matter of trust to believe what has been shown is indeed active on Nimbus environment or its data are not misused by the provider’s employees.

5.3 Deep Dive: Security Standards

There are many more aspects of security such as service levels on data usage, data privacy, compliance (承諾 ), etc., that a cloud user would encounter. Are the reasons behind these unique challenges understood?

5.3 Deep Dive: Security Standards

5.3.1 Purpose, Expectations and Challenges

• Cloud computing brings in certain security challenges not seen in typical on-premise/enterprise infrastructure due to the nature of its model, such as:

• Distributed model – the data and services are spread across multiple data centres and infrastructures causing concerns of availability, ownership and compliance.• Shared model – the cloud works on sharing code bases/services and infrastructure for data and services across multiple clients causing concerns of data isolation.• Access ubiquity – cloud services are web-based and can be accessed from anywhere by means of any client type – secure or non-secure – causing concerns of hacking.

5.3.1 Purpose, Expectations and Challenges

The focus us thus to ensure that security controls are effective to address these challenges. Broadly, the expectation from the standards would be to address:

• Cloud Data Security ensuring • Accountability ( validating claim of identity by a user, user authentication and auditing of user actions)• Authorisation ( access control to allow or deny user access based on privilege and confidentiality to prevent information disclosure to unauthorised parities)• Availability ( data to be accessible whenever needed and with integrity)

5.3.1 Purpose, Expectations and Challenges

• Cloud Service access security• To avoid Domain Name System (DNS) security threats during service access (e.g. IP hijacking, changing the path to destination IP)• To avoid Denial-of-service (DoS: 拒絕服務 ) attacks in the cloud, impacting its availability• Managing compliance due to issues such as data storage across geographies, etc. (this is extensively covered in the compliance section subsequently)

5.3.1 Purpose, Expectations (期待 ) and Challenges

Tables 5.3 and 5.4 show some of the key initiatives (倡議 ) by industry bodies as well as by vendors towards security standards.

5.3.2 Initiatives – Focus, Sponsors and Status

5.3.2 Initiatives – Focus, Sponsors and Status

5.3.2 Initiatives – Focus, Sponsors and Status

Cloud Security Alliance is formed and backed by industry heavy weights such as HP, Verizon, Vmware, McAfee, etc. This would speed up its adoption. Amazon [25] has put into practice several security measures to address all of the discussed issues.

5.3.3 Market Adoption

Security is a very broad and most important concern to be addressed in cloud computing. Scenarios discussed are to be addressed before security is removed from the top concerns list of various user surveys.

5.3.4 Gaps/Areas of Improvement

Nimbus, having tried with an initial set of cloud providers, now decides to move some of its applications to other competitive/well-rated providers and some back to its on-premise environments. Portability here becomes a major concern and some relevant scenarios will be:– The marketing applications built on Force.com need to moved to the GAE or Microsoft Azure environment (PaaS) ot even back to Nimbus data centre (Application/service portability)– Nimbus plans to consolidate its data marts into a centralised data warehouse. Hence, it wants its Marketing data mart to be moved back to Nimbus environment (data portability).

–Do the current standards address these scenarios?

5.4 Deep Dive: Portability Standards

The standards around portability are expected to enable smooth switch of cloud providers with minimal impact to cost and service quality. The purpose is thus to set guidelines for the cloud providers to build relevant layers of abstraction in their environments to help portability. Looking across the delivery models, the following are some of the challenges to address portability:

5.4.1 Purpose, Expectations and Challenges

• SaaS – the content, data and metadata (application configurations) should be portable to a new environment for a smooth switch• PaaS – the code base, application frameworks, data and metadata would be some things to port• IaaS – the software runtime environments (configurations and APIs) would need to be ported. Typically, this would be the VM.

5.4.1 Purpose, Expectations and Challenges

Metadata

• A classification scheme for indexing a certain type of data and making it more readily available. An example of metadata is the World Wide Web Consortium-developed Resource Description Framework (RDF), a symbolic language that enables programming to develop metadata schemes for a variety of data types.

Tables 5.5 and 5.6 show some of the key initiatives by industry bodies as well as by vendors towards portability standards.

5.4.2 Initiatives – Focus, Sponsors and Status

5.4.2 Initiatives – Focus, Sponsors and Status

5.4.2 Initiatives – Focus, Sponsors and Status

5.4.3 Market Adoption

• The current status that the portability using virtualisation (OVF standard) (Open Virtualization Format) is the one in place. IDM has built an OVF toolkit and Citrix has Project Kensho OVF tool as a part of their Xenserver Virtualisation technology. Sun, Eucalyptus and few other vendors, however, are claiming portability by using open source-based platforms.

OVF standard addresses portability through movement of VMs, which is the typical technology basis for the cloud. This addresses the IaaS level portability. Standards/guidelines for portability of other models (SaaS, PaaS) as discussed earlier need to be addressed.

5.4.4 Gaps/Areas of Improvement

Having placed several core and non-core systems on the cloud, Nimbus has a key dependency on the provider to ensure that these systems do not fail and impact its business. Several assessments and discussions with the provider were done and a contract signed up. Now, how does Nimbus ensure the contractual terms are being met on an on-going basis by the provider? What if there is a breach ( 中止 )? How can this risk be managed? Nimbus has signed up for several regulatory measure. How far are these adhered to by the provider? What if there is a breach (中止 )? These are some concerns handled by GRC (Governance, Risk Management and Compliance)

function.

5.5 Deep Dive: Governance, Risk Management and Compliance

Standards

GRC (Governance, Risk Management and Compliance) in cloud computing can be considered as an extension of the traditional model, but has to address several new challenges as this is applied to an environment external to the organization. The governance requirements (管控要求 ) can be classified as:

5.5.1 Purpose, Expectations and Challenges

1. Design-time governance covering (a) Service definition (e.g. design, build

management, source code management, and QA)(b)Service deployment

2. Runtime governance covering (a) Service policy management (e.g. security,

performance, reliability, etc.) (b) Service retirement3. Change management for services, policies,

processes, data and infrastructure

5.5.1 Purpose, Expectations and Challenges

The governance spans across all the cloud service types, viz. software (SaaS), platform (PaaS) or infrastructure services (IaaS).Risk management in a cloud will be relevant to managing all types of IT and business risks that ensue due to managing services in an external environment, such as operational risk (e.g. outages), security risks (both data and process), financial risk and legal risk (due to non-compliance of regulatory needs).Lastly, compliance of cloud to various regulatory needs brings in typical requirement, such as:

5.5.1 Purpose, Expectations and Challenges

1. Records management (ensuring records for all activities)2. Auditing (audit of all transactions)3.Legal and eDiscovery needs (support for any forensic (法庭的 ) investigation)4.Data privacy (meeting privacy laws as per region)5.Geography (restrictions on geography imposed by organisations/governments)

The expectation from the standards is to enable the cloud meet all the above-listed requirements.

5.5.1 Purpose, Expectations and Challenges

There are very few guidelines focused on GRC (Governance, Risk Management and Compliance ). The Cloud Security Alliance [19] discussed in Security standards also covers the aspects of GRC and is the only industry initiative. Table 5.7 shows the vendor initiatives only.

5.5.2 Initiatives – Focus, Sponsors and Status

5.5.2 Initiatives – Focus, Sponsors and Status

5.5.3 Market Adoption

• As seen from Table 5.7, there is only one initiative that is focused on GRC (Governance, Risk, Compliance). This initiative also has not yet seen large-scale adoption. Furthermore, the initiatives from vendors are not yet standardised.

Given the importance of this focus area for an organisation to successfully and safely conduct its business with its system on the cloud, there seems to be a dearth (缺乏 ) of standards.

5.5.4 Gaps/Areas of Improvement

5.6.1 Initiatives – Focus, Sponsors and Status

• Apart from standards classified under interoperability, security, portability and governance and compliance, there are some key standards that are worth tracking. They focus either on other areas such as modelling, architecture frameworks or a broad support movement towards a cloud with open standards (Table 5.8).

5.6.1 Initiatives – Focus, Sponsors and Status

Standardisation historically has been a challenge. Getting competitors to agree on standards or switch to another vendor’s standards is tough. However, drive by powerful standards, organisations such as DMTF, SNIA, etc., with backing from industry leaders, can definitely make it possible whilst avoiding excessive proliferation (激增 ). The aim should be to extend the IT standards to address the new scenarios that cloud brings in and not create fresh standards making its definition and adoption tougher.

5.7 Closing Notes