Cloud computing has led to a shift in how people think about IT systems architecture. Many organizations today are either implementing cloud-based solutions, or evaluating which cloud-based solutions they will be implementing in the future. According to Gartner Inc. cloud computing is "no less influential than e-business". This shift in architecture from an enterprise-based traditional server-based system to a cloud-based system will have associated costs of entry and risks, but it can result in enormous benefits in savings and in IT and business agility.


 

 Note
This document is part of a collection of documents that comprise the Reference Architecture for Private Cloud document set. The Reference Architecture for Private Cloud documentation is a community collaboration project. Please feel free to edit this document to improve its quality. If you would like to be recognized for your work on improving this article, please include your name and any contact information you wish to share at the bottom of this page.

 


While there is considerable pressure on organizations to consider moving to the cloud-based services, security issues continue to be one of the largest concerns that organizations have about this move. The different cloud-based deployment models, including private, public or hybrid cloud, bring with them a range of challenges, and security concerns cut across them all. Many organizations will need to apply best practice security standards that are far in excess of those that they currently implement with their on-premise systems. The migration or adoption of cloud services then can provide an advantage in that firms can design, from the ground up, their new cloud-based infrastructures with security "baked-in"; this is in contrast to the piecemeal and "after the fact" or "bolted-on" nature of security seen in many data centers today.

The cloud service model that an organization wants to implement influences security design and implementation. We will cover the three cloud computing service models: Infrastructure as a Service (IaaS)Platform as a Service (PaaS) and Software as a Service (SaaS). These models all have different security issues that need to be considered, and more importantly, a determination of the balance of responsibilities between the customer and the cloud provider for each of the service models also needs to be made.

Data storage in the cloud also requires particular consideration. The regulatory environment within which many industries operate may generate particular issues with cloud-based data storage, such as legislation on data access, issues with where the data is stored and used, as well as the important issues around the management of cryptographic keys. Strong cryptographic protection and encryption of any stored data is essential, whether that information is at rest or in transit. This becomes even more important when considering the issue of data storage in jurisdictions where data privacy laws differ from that of the firm's host country.

Cloud-based systems introduce new challenges in authentication and authorization, as organizations must be able to identify users with confidence without generating excessive overhead related to account provisioning. Authorization decisions must be well-defined and very granular, particularly in multi-tenant environments. The relationship between customer and Cloud Service Provider (CSP) must also be explicitly stated in relation to who has administrative rights and consequent access to privileged customer information.

Operational frameworks such as IT Infrastructure Library (ITIL) and Microsoft Operations Framework (MOF) help provide an effective project structure when architecting cloud-based solutions to business problems and scenarios. The cloud environment also provides the opportunity to redefine the monitoring and reporting environment and enable real-time access to management data to the right individuals through customized dashboards.

Finally, we will review the effects of compliance on cloud-based operations and analyze the effects that regulatory compliance has on the options available to organizations that operate within those environments. We will look at the factors that the cloud security architect may need to consider and mechanisms for mitigating compliance risks when adopting cloud-based solutions.

References

For more information on Cloud Computing in general, please see the NIST paper on defining Cloud Computing.

Video: Microsoft Private Cloud Security Overview

ACKNOWLEDGEMENTS LIST:

If you edit this page and would like acknowledgement of your participation in the v1 version of this document set, please include your name below:

[Enter your name here and include any contact information you would like to share]

Return to Cloud Computing Security Architecture

Return to Reference Architecture for Private Cloud