Cloudy with a Chance of Security – Addressing Security and Privacy Risk at Scale in Cloud-based Delivery Systems

Panelists: Kore Koubourlis (Microsoft), Gerlinde Zibulski (SAP AG), Linda Bernardi (StraTerra Partners LLC), and Alyssa Henry (Amazon Simple Storage Service)

A panel of women from industry presented their views on security, privacy and compliance concerns in cloud-based applications and Software as a Service (SaaS). The session began with the introduction of the panelists and a discussion on what a cloud is? Cloud was defined as “pay as you go” type of environment without buying the infrastructure. The main characteristic of cloud is that it should be able to elevate you higher by accomplishing your business tasks. It was interesting to learn about the evolution of cloud. Twenty-five years ago you could rent your computer and software. Similarly, cloud lets you use hardware, software, database, and applications without owning them.

There are different types of clouds. For example:
1. Community cloud – for sharing information with millions of people.
2. Public cloud- enterprises let many end-users use the cloud.
3. Private cloud – this is more security-aware than public or community cloud and could have access restricted to certain IP addresses.

As we move into the clouds, the biggest issue is control over system and data. People can get pretty hung up on that. There is a range of security offered by cloud services. The customers have to choose the type of security and therefore share the responsibility for security of their data and applications with the service providers.

Cloud is not just provided by service providers. Many enterprises can expose part of data or services through private clouds that are operated internally. In the cloud computing environment, the end-users define and drive what they need. They can focus on their applications or core competencies and free themselves from the burden of focusing on tasks that don’t differentiate them from their competitors – in essence, the basic and common functionality can be outsourced to the service providers.

The concept of cloud-architecture is very important. The architecture should be designed to be economic, easy and fast. It depends upon what the end-user wants to get out of cloud. For example, if you have to analyze your data, you should think about cross-analysis of data, and cloud should be architected accordingly.

The businesses that want to put applications on the cloud should find the information about how often the security patches are getting implemented and applied? They should be aware about what happens in case of data breach?

One interesting question that the panelists addressed was - "How can we address our compliance need with architecture of cloud?" They said that this is where the room for innovation is because if something happens that is outside of procedures, it has real and high costs. Therefore compliance is a real issue for large companies.
They gave an anecdote that often customers don’t really know what is going on in all their environments. Often the chances of internal threat are higher than the chances for external threat to data and security. Often, the outside is made secure by the service providers but inside is not secure. There are aspects of compliance that have to be taken care on the customer's end and some provided by the provider's end. One should make sure that the provider has given a clear overview of compliance at the time of selling their services.

There are opportunities of further research in the area of cloud computing. For example,
1) Business-process driven monitoring of services or application.
2) Standard to deal with strategies for data back-up.