both cases, or with one of the dozens of other CSBs, it is important to thoroughly vet the CSB as you would any new vendor. Each serves a specific market, utilizing different cloud technologies. It is important that the CSBs selected are a good fit for the customer organization and its cloud strategy.
Key Cloud Computing Characteristics
The NIST definition of cloud computing describes certain characteristics that clouds share. Not every third-party solution is a cloud solution. Understanding the key characteristics of cloud computing will allow you to distinguish between cloud solutions and noncloud solutions. This is important as these characteristics result in certain security challenges that may not be shared by noncloud solutions.
On-Demand Self-Service
The NIST definition of cloud computing identifies an on-demand service as one “that can be rapidly provisioned and released with minimal management effort or service provider interaction.” This means the user must be able to provision these services simply and easily when they are needed. If you need a Dropbox account, you simply set up an account and pay for the amount of storage you want, and you have that storage capacity nearly immediately. If you already have an account, you can expand the space you need by simply paying for more space. The access to storage space is on demand. Neither creating an account nor expanding the amount of storage available requires the involvement of people other than the customer. This access is automated and provided via a dashboard or other simple interface.
This can facilitate the poor practice often labeled as shadow IT. The ease with which a service can be provisioned makes it easy for an individual, team, or department to bypass company policies and procedures that handle the provisioning and control of IT services. A team that wants to collaborate may choose OneDrive, Dropbox, SharePoint, or another service to facilitate collaboration. This can lead to sensitive data being stored in locations that do not adhere to required corporate controls and places the data in locations the larger business is unaware of and cannot adequately protect.
The pricing of these services may fall below corporate spending limits that would otherwise trigger involvement of the vendor management office (VMO) and information security and may simply be placed on a purchase card rather than through an invoice and vendor contract. Without VMO involvement, the corporate master services agreement will not be in effect.
If this behavior is allowed to proliferate, the organization can lose control of its sensitive data and processes. For example, the actuary department at an insurance company may decide to create a file-sharing account on one of several available services. As information security was not involved, company policies, procedures, risk management, and controls programs are not followed. As this is not monitored by the security operations center (SOC), a data breach may go unnoticed, and the data that gives the company a competitive advantage could be stolen, altered, or deleted.
Broad Network Access
Cloud services assume the presence of a network. For public and community clouds, this is the Internet. For a private cloud, it could be the corporate network—generally an IP-based network. In either case, cloud services are not local solutions stored on your individual computer. They are solutions that exist on a network—in the cloud. Without broad and ubiquitous network access, the cloud becomes inaccessible and is no longer useful.
Not all protocols and services on IP-based networks are secure. Part of the strategy to implementing a secure cloud solution is to choose secure protocols and services. For example, Hypertext Transfer Protocol (HTTP) and File Transfer Protocol (FTP) should not be used to move data to and from cloud services as they pass the data in the clear. HTTP Secure (HTTPS), Secure FTP (SFTP), and other encryption-based transmission should be used so that data in motion may be intercepted but not read.
If you are able to access the cloud service and obtain access to your data anywhere in the world, so can others. The requirement for identification and authentication becomes more important in this public-facing environment. The security of accessing your cloud services over the Internet can be improved in a number of ways including improved passwords, multifactor authentication (MFA), virtual private networks (VPNs), etc. The increased security needs of a system available over the network where security is shared between the CSP and customer makes these additional steps more important.
Multitenancy
One way to get the improved efficiencies of cloud computing is through the sharing of infrastructure. A server may have more than one company purchasing access to its resources. These resources are shared by the tenants. Like an apartment building, these tenants share resources and services but have their own dedicated space. Virtualization allows the appearance of single tenancy in a multitenancy situation. Each tenant's data remains private and secure in the same way that your belongings (data) in an apartment building remain secure and isolated from the belongings (data) of your neighbor.
However, as the building is shared, it is still the responsibility of each tenant to exercise care to maintain the integrity and confidentiality of their own data. If the door is left unsecured, a neighbor could easily enter and take your things. It is also necessary to consider the availability of the data as the actions of another tenant could make your data inaccessible for a time due to no fault of your own. In our example, if another tenant is involved in illegal activity, the entire building could be shut down. Or, if another tenant damaged the building, your access might be reduced or eliminated. A multitenancy environment increases the importance of disaster recovery (DR) and business continuity (BC) planning.
Rapid Elasticity and Scalability
In a traditional computing model, a company would need to buy the infrastructure needed for any future, potential, or anticipated growth. If they estimate poorly, they either will have a lot of excess capacity or will run out of room. Neither situation is optimal. In a cloud solution, the space needed grows and shrinks as necessary to support the customer. If there is a peak in usage or resource needs, the service grows with the needs. When the needs are gone, the resources used decrease. This supports a pay-as-you-go model, where a customer pays only for the resources needed and used.
For the CSP, this presents a challenge. The CSP must have the excess capacity to serve all their customers without having to incur the cost of the total possible resource usage. They must, in effect, estimate how much excess capacity they must have to serve all of their customers. If they estimate poorly, the customer will suffer and the CSP's customer base could decrease.
However, there is a cost to maintaining this excess capacity. The cost must be built into the cost model. In this way, all customers share in the cost of the CSP, maintaining some level of excess capacity. In the banking world, a bank must keep cash reserves of a certain percentage so that they can meet the withdrawal needs of their customers. But if every customer wanted all of their money at the same time, the bank would run out of cash on hand. In the same way, if every customer's potential peak usage occurred at the same time, the CSP would run out of resources, and the customers would be constrained (and unhappy).
The customer must also take care in setting internal limits on resource use. The ease of expanding resource use can make it easy to consume more resources than are truly necessary. Rather than cleaning up and returning resources no longer needed, it is easy to just spin up more resources. If care is not taken to set limits, a customer can find themselves with a large and unnecessary bill for resources “used.”
Resource Pooling
In many ways, this is the core of cloud computing. Multiple customers share a set of resources including servers, storage, application services, etc. They do not each have to buy the infrastructure necessary to provide their IT needs. Instead, they share these resources with each other through the orchestration of the CSP. Everyone pays for what they need and use. The goal is that resources are used efficiently by the group of customers.
This resource pooling presents