Security Tips for Cloud Computing (Germany)
My topic at the seminar was Cloud Computing Applications. To find something worthwhile under this topic was quite difficult. The cloud is a new technology whose reputation no one wants to harm, and it itself has only recently begun to grow into standards. Whether the availability of standards is good or bad for this post does not matter.
One very good piece of paper that contains a lot of information about how cloud computing companies should protect this computing and stored data is the Eckpunktepapier Sicherheitsempfehlungen für Cloud Computing Anbieter.
This paper was written in collaboration with the German Ministry of Information Technology Security with suppliers and consumers / potential consumers of cloud services. This is one of the first attempts to bring clarity to the standardization of protection when working in the cloud.
Of course, it is clear from the outset that all the risks associated with data transfer via the Internet are also characteristic of cloud technology. Here you need to consider all the risks from OWAP, but much has already been said about them and I would not want to repeat myself. Therefore, I will try to consider those security points that are specific to clouds.
The first problem for consumers is that they do not have enough information from suppliers on how data and computing will be protected within the cloud. This opacity scares away many potential users. Almost all companies providing these services write that user data will be reliably protected. At the same time, they do not indicate what methods will be used.
One of the suggestions for cloud computing providers is to clearly prescribe the protection provided. It is also recommended to introduce several levels of information protection provided, since the data of different users have different sensitivity. Also, for some customers, round-the-clock availability and support can be extremely important and necessary, while for other users standard support from the supplier during the working day is sufficient. Such a distinction will allow not only for each specific consumer to prescribe the protection mechanisms provided to him in his contract, but will also make prices flexible. Everyone will pay only for what he really needs.
One of the important topics is the verification of consumer identities. This is recommended in order to protect suppliers from dishonest customers who can use cloud resources to crack passwords or create botnets.
Also, one of the tasks of suppliers will be not only to check their own infrastructures for vulnerabilities, but also to check the infrastructures of system users in order to notice weaknesses or incorrect configuration of security systems in a timely manner. It is also recommended to create opportunities for users to conduct such checks themselves or entrust such checks to third-party IT companies.
Also very important is the fact that cloud service providers are obliged to inform consumers about the country in which computing centers are located, in which information will be stored. This is due to the fact that in many states, government agencies have the ability to request stored data. Accordingly, there are opportunities for espionage / industrial espionage.
Eckpunktepapier "Sicherheitsempfehlungen für Cloud Computing Anbieter"
www.bsi.bund.de/DE/Themen/CloudComputing/Eckpunktepapier/Eckpunktepapier_node.html
One very good piece of paper that contains a lot of information about how cloud computing companies should protect this computing and stored data is the Eckpunktepapier Sicherheitsempfehlungen für Cloud Computing Anbieter.
This paper was written in collaboration with the German Ministry of Information Technology Security with suppliers and consumers / potential consumers of cloud services. This is one of the first attempts to bring clarity to the standardization of protection when working in the cloud.
Of course, it is clear from the outset that all the risks associated with data transfer via the Internet are also characteristic of cloud technology. Here you need to consider all the risks from OWAP, but much has already been said about them and I would not want to repeat myself. Therefore, I will try to consider those security points that are specific to clouds.
The first problem for consumers is that they do not have enough information from suppliers on how data and computing will be protected within the cloud. This opacity scares away many potential users. Almost all companies providing these services write that user data will be reliably protected. At the same time, they do not indicate what methods will be used.
One of the suggestions for cloud computing providers is to clearly prescribe the protection provided. It is also recommended to introduce several levels of information protection provided, since the data of different users have different sensitivity. Also, for some customers, round-the-clock availability and support can be extremely important and necessary, while for other users standard support from the supplier during the working day is sufficient. Such a distinction will allow not only for each specific consumer to prescribe the protection mechanisms provided to him in his contract, but will also make prices flexible. Everyone will pay only for what he really needs.
One of the important topics is the verification of consumer identities. This is recommended in order to protect suppliers from dishonest customers who can use cloud resources to crack passwords or create botnets.
Also, one of the tasks of suppliers will be not only to check their own infrastructures for vulnerabilities, but also to check the infrastructures of system users in order to notice weaknesses or incorrect configuration of security systems in a timely manner. It is also recommended to create opportunities for users to conduct such checks themselves or entrust such checks to third-party IT companies.
Also very important is the fact that cloud service providers are obliged to inform consumers about the country in which computing centers are located, in which information will be stored. This is due to the fact that in many states, government agencies have the ability to request stored data. Accordingly, there are opportunities for espionage / industrial espionage.
Eckpunktepapier "Sicherheitsempfehlungen für Cloud Computing Anbieter"
www.bsi.bund.de/DE/Themen/CloudComputing/Eckpunktepapier/Eckpunktepapier_node.html