We can think about the risks associated with public cloud computing in terms of the CIA triad, which are:
- Confidentiality – Information is only available to those who are authorized to use it
- Integrity – Information is what it purports to be. Transactions are authentic and unmodified in flight
- Availability – Information is accessible when it’s needed
If we consider a public cloud solution from a standpoint of CIA, we quickly realize that the security risks that are associated with cloud are not really new risks.
Organizations that make use of public cloud computing services might store their information with a third-party cloud provider. That seems risky, and in fact it is. However, it’s not really a new risk when we consider that modern organizations that do all of their information processes in-house regularly expose their information to vendors and regularly transmit information that unauthorized parties can access. Confidentiality of information isn’t really a new risk associated with cloud computing. It’s a risk organizations already have.
Information has to be what it purports to be. Otherwise the quality is low, and it might be inaccurate, unusable, or even dangerous. Organizations currently work to ensure the integrity of information and the authenticity of transactions, and this doesn’t significantly change with public cloud computing. Information can be modified from its intended form in both completely in-house IT environments as well as public cloud environments.
I am ITIL guy, so availability doesn’t strike me to be as much an aspect of security, as it is an aspect of warranty that’s just as important as security. Nevertheless, availability of information is a concern when using a public cloud services provider, but they have potential risk to availability in traditional IT environments. If there’s anything to learn from ITIL, it’s that current and future availability of services and information is important. We must plan and prepare for how we ensure that availability.
While public cloud computing does introduce some new risks (which will be described in another blog post), cloud computing doesn’t really introduce new security risks to modern IT organizations. Cloud computing may change some aspects of those risks, but the risks themselves are not new.
I wrote this post because we often hear that the greatest concern with public cloud computing are its security weaknesses. This is short-sighted and seems to ignore the fact that these same security risks that are often shown as limitations of cloud computing are actually things that affect all types of computing.