Questions and Answers about Secure Cloud Computing

What is cloud computing?

Primary characteristics of cloud computing are IT services on-demand, great flexibility and scalability - often called elasticity.  Resources are to some or large extent shared with other users of the same cloud - multi-tenancy.

Can one have personal data in the cloud?

In principle there is nothing in the way of processing and storage of personal identifiable data in the cloud, but all relevant security rules and guidelines must of course be observed. This is easier to say than to implement. Nature of Personal Data may also be crucial. Both email addresses and disease information may be 'personal', but security requirements for them are different. It is important to note that the european privacy directives are older than any cloud service, and that when the DPA uses the law text on cloud computing services, it generates often a series of questions to both users and suppliers that can be more than difficult to answer.

What is the SPI model?

SPI is an acronym for SaaS, Paas and IaaS, which are respectively "Software as a Service", "Platform as a Service" or "Infrastructure as a Service".

How is the security in cloud computing?

It depends on many factors such as whether you choose SaaS, Paas or IaaS, and whether the cloud is private, public, hybrid or "community"-based. For companies without special IT security competencies, e.g. many small or medium sized businesses without a dedicated IT security function, cloud computing could probably provide better security than they would be able to establish, not least maintain them selves.

Is cloud computing mostly for larger or more for smaller organizations?

Both... but for different reasons. For some large companies the cloud business case are better than what small businesses can achieve. Simultaneously, cloud computing provides small and medium sized businesses economical attractive access to professional IT operations and resources that were previously reserved to companies with much larger IT budgets.

Is cloud computing for governments?

There are plenty of examples all over the world. However, privacy issues and security issues often stand in the way for further cloud computing.

Should security professionals warn against cloud computing?

Yes, if the security people do not want to be consulted in the future, just say no to the cloud now.

Is there a difference in security of the various providers

Yes. Besides the natural differences between Software, Platform or Infra-Structure as a service, there are also - sometimes large - differences in the security facilities provided by different vendors. Neupart has surveyed the security of Google, Force.com and Microsoft Azure. Download the report here.

What is Cloud Security Alliance?

Cloud Security Alliance (CSA) is a "nonprofit" organization, which implements a wide range of initiatives in cloud security. For example, CSA publishes a free guide and instructions on cloud security. Members are a variety of vendors and corporate users of cloud computing, in addition to individuals. That combination gives a good weight behind the association and its initiatives. Other initiatives from CSA includes a GRC stack with a "control matrix". The matrix has a series of "controls" with relevance to cloud security, each mapped up to ISO 27001, PCI, COBIT, NIST and more.

What is CCSK?

CCSK is a certification issued by Cloud Security Alliance. The abbreviation means Certificate of Cloud Security Knowledge. CSA now works wih approved training providers. Neupart is the first CSA partner in Europe to offer CSA's original CCSK preparation course. In this course, you can enhance your knowledge about cloud security and prepare to take the optional certification test.

What does the EU say about cloud computing?

EU's security office, ENISA has published an excellent guide on how a business can do risk assessesment of cloud providers.

Read more about cloud security from ENISA

IT GRC Solution for the cloud

Learn more about SecureAware Cloud

Learn about IT GRC