Earlier this month, OASIS hosted a forum to discuss standards and interoperability issues for cloud computing. As a technical community dedicated to creating and promoting open standards, OASIS tackles many of the tough challenges that government institutions, private enterprises, software vendors, academics and system integrators face when creating applications and platforms to run our digital economy. Business is global, systems must interoperate, and content flows from person to person both inside and outside the firewall. Sharing and re-use of information is made possible only by letting diverse systems work together. This is the beauty of standards.
Speakers throughout the event — representing governments in the US, Europe and Canada, as well as regulated industries, such as banks and pharmaceuticals — highlighted several consistent themes. One presenter, Sounil Yu, shared his perspectives gleaned from the world of financial services, nicely encapsulating five key points made by several of the speakers.
Five Things to Know Before Playing Securely in the Cloud
1. Know Your Cloud Provider
Understand the track record of the cloud service provider(s) you are considering to create, store or share your corporate content. Questions might be — what is their breach history? How transparent and timely is their communication in case of problems? How open are they with operational practices such as patch schedules, pen-tests, emergency response plans, or employee training? Is security addressed as part of the service level agreement? Are they multi-tenant? Know what is allowed and assess if the other tenants may be a security concern or target of attack.
2. Know Your Data
Information is an accelerant in the digital economy. Data as the “new oil” is a phrase that has been gaining currency for several years. Organizations must understand what information they create and hold. What level of sensitivity is your information? How many categories of confidentiality or secrecy exist? Are the rules for each category of information clearly understood by your employees and contractors? Are they trained on appropriate handling, sharing and disposal policies?
Is metadata being used to consistently categorize or “tag” information? Consistent use of metadata tagging means more opportunity to automate and have technologies push and pull content across business processes. Information that is of good, reliable quality control and consistently structured will be found, read and re-used more frequently.
Also understand who owns the data — there is still much FUD (fear, uncertainty and doubt) about the terms and conditions of some cloud services — particularly for consumer apps. Ensure you retain appropriate rights to your corporate content regardless of storage location.
3. Know Your Applications
Understand how applications depend on each other and on infrastructure technologies. Different types of applications will have different threat profiles, depending on the content and data they process. From a technical perspective, ensure an application cannot become an entry way into other corporate systems or lead to a denial of service attack. How does information flow through firewalls, where are database calls? Know how the cloud service provider manages the security of its infrastructure. This is an area where standards and certifications can be useful guides.
4. Know Your Users
Understand how authentication and identification of users will be handled. What is the cloud provider using to authenticate users, access permissions or admin rights? Can any internal user IDs be extended to the cloud applications? Standards such as OAuth can provide insight into how authentication is performed. Are there other standards-based or proprietary techniques in use?
Continue reading this article:
Source : cmswire[dot]com
No comments:
Post a Comment