CIAA: What Should Matter Most For Cloud Security

CIAA: What Should Matter Most For Cloud Security

CIAA: What Should Matter Most For Cloud Security

Everyday there are more articles citing security as the top concern holding back public cloud adoption. While cloud means many things to different people, so does the term security. In discussions with business and industry experts, security concerns really boil down to the classic CIA—now CIAA—triad: confidentiality, integrity, availability and the more recently appended “audit”.

Public cloud security concerns seem to be more focused on Infrastructure as a Service (IaaS) for sensitive type workloads and on newer Software as a Service (SaaS) services. Even with the latest concerns around PRISM and the intercepting of data on cloud servers, the economic viability of cloud computing is too good to hold back. Gartner has predicted 17.7% CAGR in public cloud services usage through 2016.

Below is a break down of CIAA and how it can be adapted to cloud security needs today.

Confidentiality is about limiting access or placing restrictions on information, and in order to do that successfully, information needs to be categorized according to its sensitivity and business risk level. Once that assessment has been made, organizations can use workloads of a lower risk level as a starting point for getting comfortable with public cloud services. Not all public cloud providers are created equal and a growing number have well established data handling and security procedures. Some cloud providers have tailored their services to different verticals such as healthcare, government and retail mostly for compliance reasons, but many also cater to some of the more stringent needs around data protection.

However, both cloud providers and consumers would benefit from a model where cloud services could be universally classified according to different levels of trust.  The Open Data Center Alliance has promoted such a model in its Provider Assurance usage model with categories ranging from bronze for less sensitive data to platinum at the higher level.

Integrity is focused on maintaining and assuring the accuracy and consistency of data. To do that, standards have to be implemented to ensure that data cannot be tampered with, and is only accessed by those who have the correct permissions. In addition to the data classification measures in the previous paragraph, integrity can also be ensured by putting in place strict monitoring controls – think threat data analytics and SIEM, encryption, and tokenization. In a public cloud IaaS model the application of these controls will be split between the provider and the end user. Part of establishing appropriate controls and being able to attest and report against these will be derived from drawing up SLAs and reviewing controls over time to ensure that they meet your organization’s needs.

Availability is simply ensuring that data or a service is available when needed.  For the nature of today’s real-time transactions, even data or services with a lower risk level usually require high availability. Public cloud outages are often highly publicized, but the reality is that these are few and far between. Additionally, with the correct precautions, the impact of such outages can be lessened.

For organizations with limited IT staff, select a cloud provider that offers complete cloud redundancy. Onramps are often used to migrate data to the cloud, and a side benefit of that is that they can also provide cloud mirroring, which allows data to be written to two cloud providers at the same time. This is an ideal strategy as the chances of both providers having an outage at the exact same time would be extremely rare.

Audit refers to the examination and confirmation of controls around data and the IT infrastructure. This is perhaps the most complex aspect of the CIAA concept, as it can be difficult to navigate a maze of emerging regulatory standards—some of which have conflicting clauses. The good news is that the Cloud Security Standards Cloud Controls Matrix provides a cross walk of multiple standards and regulations broken down by cloud model. The benefit is a unified audit framework that organizations can use to audit once and report against multiple requirements simultaneously.

Remember that levels of confidentiality, integrity, availability and audit depend on the context—not just cloud context. Business, technical and human risk, governance and other regulatory standards will all condition how CIAA pertains to a particular cloud instance.

evelyn-de-souzaBy Evelyn de Souza,

Evelyn de Souza is a Senior Cloud and Data Center Security Strategist at Cisco, and Co-chair for the Cloud Security Alliance Cloud Controls Matrix. Follow her on Twitter at @e_desouza.

Follow Us!

CloudTweaks

Established in 2009, CloudTweaks.com is recognized as one of the leading authorities in cloud computing information. Most of the excellent CloudTweaks articles are provided by our own paid writers, with a small percentage provided by guest authors from around the globe, including CEOs, CIOs, Technology bloggers and Cloud enthusiasts. Our goal is to continue to build a growing community offering the best in-depth articles, interviews, event listings, whitepapers, infographics and much more...
Follow Us!
FacebookTwitterLinkedInGoogle+Share

Sorry, comments are closed for this post.

Join Our Newsletter

Receive updates each week on news, tips, events, comics and much more...

Advertising Programs

Click To Find Out!

Sponsored Posts

Sponsored Posts

CloudTweaks has enjoyed a great relationship with many businesses, influencers and readers over the years, and it is one that we are interested in continuing. When we meet up with prospective clients, our intent is to establish a more solid relationship in which our clients invest in a campaign that consists of a number of

Popular

Top Viral Impact

Cloud Infographic – The Power Of Cloud Disaster Recovery

Cloud Infographic – The Power Of Cloud Disaster Recovery

Cloud Infographic – The Power Of Cloud Disaster Recovery Preventing a Cloud Disaster is one thing. Recovering from a disaster is a whole other area of concern. Today’s infographic provided by CloudVelox outlines some best practices and safeguards in order to help your business make more informed decisions. About Latest Posts Follow Us!CloudTweaksEstablished in 2009,

BYOD Will Continue To Define Workplaces In 2014

BYOD Will Continue To Define Workplaces In 2014

BYOD Will Continue To Define Workplaces In 2014 The bring-your-own-device trend has been the subject of scrutiny ever since its initial formation. Given how quickly personal smartphones and tablets became a fixture in everyday life, it makes perfect sense that these mobile machines would slip into workplaces. While BYOD has caused headaches for many businesses,

Technology Advice Report: 2014 Business Intelligence Buying Trends

Technology Advice Report: 2014 Business Intelligence Buying Trends

Technology Advice Report: 2014 Business Intelligence Buying Trends For nearly every business, the concept of business intelligence is nothing new. Ambitious organizations have been searching for any type of data-driven advantage for some time now – perhaps for as long as they’ve existed. However, the historical use of competitive intelligence pales in comparison to the

Can I Contribute To CloudTweaks?

Yes, much of our focus in 2015 will be on working with other influencers in a collaborative manner. If you're a technology influencer looking to collaborate long term with CloudTweaks – a globally recognized leader in cloud computing information – drop us an email with “tech influencer” in the subject line.

Please review the guidelines before applying.

Whitepapers

Top Research Assets

HP OpenStack® Technology Breaking the Enterprise Barrier

HP OpenStack® Technology Breaking the Enterprise Barrier

Explore how cloud computing is a solution to the problems facing data centers today and highlights the cutting-edge technology (including OpenStack cloud computing) that HP is bringing to the current stage. If you are a CTO, data center administrator, systems architect, or an IT professional looking for an enterprise-grade, hybrid delivery cloud computing solution that’s open,

Public Cloud Flexibility, Private Cloud Security

Public Cloud Flexibility, Private Cloud Security

Public Cloud Flexibility, Private Cloud Security Cloud applications are a priority for every business – the technology is flexible, easy-to-use, and offers compelling economic benefits to the enterprise. The challenge is that cloud applications increase the potential for corporate data to leak, raising compliance and security concerns for IT. A primary security concern facing organizations moving