On the Internet, the primary protection mechanism is encryption. Cloud providers use encryption such as Advanced Encryption Standards (AES) and Triple Data Encryption Standards (3DES) to ensure a standard of security in their environments.
Encryption is often used with identity management. To avoid exposure to a user’s identity and to keep track of varying permissions within the federated cloud, an identity management solution is often required. A username, code name, or PIN may be used to validate a user within a federated environment. A cloud service provider may use identity providers to specify who users are and what they are allowed to access; more about privileged access for users here. The cloud service provider, in this case, defers responsibility to the identity provider for authentication. This type of procedure enables the use of single sign-on (SSO); available with Centrify, OneLogin, or Auth0. Identity security standards have also been established to guide the SSO framework. Two such specifications are:
- WS-Federation (Web Services Federation)
- Security Assertion Markup Language (SAML)
A cloud storage gateway is a network appliance that is used when a business or organization wants a way to encrypt, compress, recover, and archive data before transformation to the cloud. For example, an internal data center owned by Company A is in the process of sending data backups and archives into the cloud for storage.
- Company A deploys a cloud storage gateway server inside their network.
- The server is responsible for encrypting backups, compressing data, recovering data, and archiving data.
- The encrypted data is then sent to the cloud service provider for storage.
The cloud storage gateway helps to diminish the concerns with vendor lock-in since data can still be recovered from internal Company A systems. If the cloud service provider is no longer able to meet Company A business needs, the data stored on internal systems can be used to restore data to another cloud service provider. Cloud storage gateways provide the following functions:
These four functions are not exhaustive; read the online resource, Cloud Computing Architecture, for additional information.
Role of Standardization
With any emerging technology, standardization is a difficult topic as each vendor has a better way of doing things. Fortunately, DCs have been in existence for many decades and the standards developed during those years have carried over into cloud computing, and providers of cloud computing recognize that standardization is good for business. If a new technology is easy to use and works with pre-existing systems, it is likely to receive greater interest. Further, to provide greater confidence in the new technology, the adoption of well-established standards like ITIL and ISO by cloud computing providers will make it easier for businesses and organizations to gain confidence in the new technology. Cloud computing is such a technology.
How can a company or organization be sure their data can be processed on a cloud provider platform? Interoperability describes this functionality and is achieved through standardization. Standardization can be used for security, environmental considerations, interoperability, architectures, and many other aspects of cloud computing. An organization and cloud service provider must know how the different standards will affect operations. This knowledge is important when deciding to adopt or provide cloud services. If security is important to an organization, they will want to select a cloud service provider who is a part of the Cloud Security Alliance (CSA). This organization provides certifications to organizations who follow cloud security best practices. Additional standards used by cloud providers can be found at the following online URLs for some of the more common sources:
- National Institute of Standards and Technology (NIST) – accelerates the development and deployment of systems that are reliable, usable, interoperable, and secure; advances measurement science through innovations in mathematics, statistics, and computer science; and conducts research to develop the measurements and standards infrastructure for emerging information technologies and applications
- Cloud Standards Customer Council (CSCC) – provides guidance to the end-user community about best practices and general information about cloud attributes and capabilities
- Open Grid Forum (OGF) – aim for the adoption of grid computing
- Distributed Management Task Force (DMTF) – aims for agnostic enterprise technology to enable systems management interoperability between vendors and/or companies
- Cloud Security Alliance (CSA) – promotes IT security best practices
- IEEE Standards Association (IEEE-SA) – organization that advances new and existing technologies
As seen in the above list and throughout this course, interoperability is a major topic in cloud computing. Cloud providers have created a forum to address various issues with interoperability. This forum is called the Cloud Computing Interoperability Forum (CCIF), and it seeks to develop a framework that will allow cloud platforms to speak a universal language. This is analogous to a MAC/Apple computer being able to run a Windows OS, due to the Intel processor.
Public and Private Cloud Standards
Public and private cloud standards differ in that organizations who typically adopt private cloud solutions are under more constraints. Private cloud standards are often industry or government based. Standards can also be mandated by the organization itself; for instance, organizations seeking to do business in the European Union (E.U.), will adopt International Organization of Standardization (ISO) standards. Why? It is difficult to nearly impossible to conduct business in the E.U. without the ISO certification.
Information Technology Infrastructure Libraries (ITIL) practices are commonplace in both public and private cloud solutions; however, ITIL is more likely to be seen in the private cloud environment.
Public clouds often set their own standards. The Statement on Auditing Standards (SAS70) provides guidance to service organizations to assess their internal controls, in the event that they are audited. By staying in compliance with well-established standards, cloud service providers can show potential customers value in their services. Two other common standards associated with public cloud environments are the Audit ISO 27001 and ISO 27002 for security management.