The Lighter Side Of The Cloud – Private Cloud
The Lighter Side Of The Cloud – Best Friend
The Lighter Side Of The Cloud – #NerdLove
CIAA: What Should Matter Most For Cloud Security

CIAA: What Should Matter Most For Cloud Security

CIAA: What Should Matter Most For Cloud Security

Everyday there are more articles citing security as the top concern holding back public cloud adoption. While cloud means many things to different people, so does the term security. In discussions with business and industry experts, security concerns really boil down to the classic CIA—now CIAA—triad: confidentiality, integrity, availability and the more recently appended “audit”.

Public cloud security concerns seem to be more focused on Infrastructure as a Service (IaaS) for sensitive type workloads and on newer Software as a Service (SaaS) services. Even with the latest concerns around PRISM and the intercepting of data on cloud servers, the economic viability of cloud computing is too good to hold back. Gartner has predicted 17.7% CAGR in public cloud services usage through 2016.

Below is a break down of CIAA and how it can be adapted to cloud security needs today.

Confidentiality is about limiting access or placing restrictions on information, and in order to do that successfully, information needs to be categorized according to its sensitivity and business risk level. Once that assessment has been made, organizations can use workloads of a lower risk level as a starting point for getting comfortable with public cloud services. Not all public cloud providers are created equal and a growing number have well established data handling and security procedures. Some cloud providers have tailored their services to different verticals such as healthcare, government and retail mostly for compliance reasons, but many also cater to some of the more stringent needs around data protection.

However, both cloud providers and consumers would benefit from a model where cloud services could be universally classified according to different levels of trust.  The Open Data Center Alliance has promoted such a model in its Provider Assurance usage model with categories ranging from bronze for less sensitive data to platinum at the higher level.

Integrity is focused on maintaining and assuring the accuracy and consistency of data. To do that, standards have to be implemented to ensure that data cannot be tampered with, and is only accessed by those who have the correct permissions. In addition to the data classification measures in the previous paragraph, integrity can also be ensured by putting in place strict monitoring controls – think threat data analytics and SIEM, encryption, and tokenization. In a public cloud IaaS model the application of these controls will be split between the provider and the end user. Part of establishing appropriate controls and being able to attest and report against these will be derived from drawing up SLAs and reviewing controls over time to ensure that they meet your organization’s needs.

Availability is simply ensuring that data or a service is available when needed.  For the nature of today’s real-time transactions, even data or services with a lower risk level usually require high availability. Public cloud outages are often highly publicized, but the reality is that these are few and far between. Additionally, with the correct precautions, the impact of such outages can be lessened.

For organizations with limited IT staff, select a cloud provider that offers complete cloud redundancy. Onramps are often used to migrate data to the cloud, and a side benefit of that is that they can also provide cloud mirroring, which allows data to be written to two cloud providers at the same time. This is an ideal strategy as the chances of both providers having an outage at the exact same time would be extremely rare.

Audit refers to the examination and confirmation of controls around data and the IT infrastructure. This is perhaps the most complex aspect of the CIAA concept, as it can be difficult to navigate a maze of emerging regulatory standards—some of which have conflicting clauses. The good news is that the Cloud Security Standards Cloud Controls Matrix provides a cross walk of multiple standards and regulations broken down by cloud model. The benefit is a unified audit framework that organizations can use to audit once and report against multiple requirements simultaneously.

Remember that levels of confidentiality, integrity, availability and audit depend on the context—not just cloud context. Business, technical and human risk, governance and other regulatory standards will all condition how CIAA pertains to a particular cloud instance.

evelyn-de-souzaBy Evelyn de Souza,

Evelyn de Souza is a Senior Cloud and Data Center Security Strategist at Cisco, and Co-chair for the Cloud Security Alliance Cloud Controls Matrix. Follow her on Twitter at @e_desouza.

Follow Me

Evelyn de Souza

Data Privacy and Compliance Leader at Cisco Systems
Evelyn de Souza focuses on developing industry blueprints that accelerate secure cloud adoptionfor business as well as everyday living. She currently serves as the Chair of the newly formed Cloud Security Alliance (CSA) data governance and privacy working group. Evelyn was named to CloudNOW's Top 10 Women in Cloud Computing for 2014 and SVBJ’s 100 Women of Influence for 2015. Evelyn is the co-creator of Cloud Data Protection Cert,the industry's first blueprint for making data protection "business-consumable” and is currently working on a data protection heatmap that attempts to streamline the data privacy landscape.

Evelyn has recently been added to the CloudTweaks 12/12 Program where her valuable insight can be enjoyed, shared and discussed each month.
Follow Me

Latest posts by Evelyn de Souza (see all)

Sorry, comments are closed for this post.

Popular Archives

12 Promising Business Intelligence (BI) Services For Your Company

12 Promising Business Intelligence (BI) Services For Your Company

12 Promising Business Intelligence (BI) Services Business Intelligence (BI) services have recently seen an explosion of innovation and choices for business owners and entrepreneurs. So many choices, in fact, that many companies aren’t sure which business intelligence company to use. To help offer you a solution, we’ve compiled a list of 12 Business Intelligence companies…

Using Big Data To Make Cities Smarter

Using Big Data To Make Cities Smarter

Using Big Data To Make Cities Smarter The city of the future is impeccably documented. Sensors are used to measure air quality, traffic patterns, and crowd movement. Emerging neighborhoods are quickly recognized, public safety threats are found via social networks, and emergencies are dealt with quicklier. Crowdsourcing reduces commuting times, provides people with better transportation…

Wearable Tech – Will It Ever Be Fashionable?

Wearable Tech – Will It Ever Be Fashionable?

Wearable Tech – Will It Ever Be Fashionable? Wearable tech is taking over the world, and in that sense, it’s already fashionable. As we noted last week, the sector is expected to grow from $14 billion in 2014 to $70+ billion in 2024. But what about ‘high-fashion’? The catwalks and runways of London, Paris, and Milan? Can…

Cloud Computing – A Requirement For Greater Innovation

Cloud Computing – A Requirement For Greater Innovation

Cloud computing – Greater Innovation! Sao Paulo, Brazil has had trouble with both energy and water supplies as of late. Despite it is the rainy period. Unfortunately Sao Paulo is very dependent on its rain as a majority of its power is generated from large dams. No water, no energy. Difficult situation for a city…

4 Different Types of Attacks – Understanding the “Insider Threat”

4 Different Types of Attacks – Understanding the “Insider Threat”

Understanding the “Insider Threat”  The revelations that last month’s Sony hack was likely caused by a disgruntled former employee have put a renewed spotlight on the insider threat. The insider threat first received attention after Edward Snowden began to release all sorts of confidential information regarding national security. While many called him a hero, what…

Recent

Is The Internet of Things A Perfect Storm?

Is The Internet of Things A Perfect Storm?

Is The Internet of Things A Perfect Storm? There has been a great deal of discussion surrounding the Internet of Things over the past couple of years as more companies are taking an active and aggressive interest. IBM for example has recently decided to invest $3 Billion over the next 4 years. “Our knowledge of…

Digital Transformation: Miracle and Wonder

Digital Transformation: Miracle and Wonder

Digital Transformation These are the days of miracle and wonder. I’ve been leading a small, global research team at the Tau Institute for the past few years to examine the dynamics of IT adoption in more than 100 countries throughout the world. We’ve developed several indices that show how well these nations are doing on a relative basis. We ranked the nations…

Cloud Security Hottest Issue At RSA

Cloud Security Hottest Issue At RSA

Cloud Security Hottest Issue The integral integration of cyber security and cloud technology seemed to be the hottest issue at the busy RSA 2015 Conference in San Francisco. Interested parties packed security and cloud service booths for the duration of the conference. Several prominent publications covered the increased importance of securing their private information that’s…

Contact Us

Sending

Technology Sponsors

hp Logo CityCloud-PoweredByOpenstack-Bluesquare_logo_100x100-01
cisco_logo_100x100 vmware citrix100
Site 24x7 200px-KPMG

Established in 2009, CloudTweaks is recognized as one of the leading influencers in cloud computing, big data and internet of things (IoT) information. Our goal is to continue to build our growing information portal, by providing the best in-depth articles, interviews, event listings, whitepapers, infographics and much more.

CloudTweaks Comic Library

Advertising