The concept of cloud computing comes from the network diagrams illustrating the Internet as a cloud, where it is not possible, or not important, to know the information path. While the main reasons for adopting services based on cloud computing are cost saving, flexibility and start-up speed, there are still doubts about the security guarantees and the portability and integration options offered by this model of services.
During 2010 and 2011 and with the aim of clearing up some of these doubts, Safelayer led the “TaaS – Trust as a Service: Trust Services in and for the Cloud” project. Partially funded by Programa AVANZA (ref. TSI-020100-2010-482), this project is being undertaken in collaboration with the Group of Analysis, Security and Systems of the Complutense University of Madrid.
The services offered in any of the cloud computing models (platform, infrastructure or software as a service) are closely related to mobility and, therefore, depend heavily on the continuity of the connectivity, the quality of the service and the security offered by the networks for an optimal user experience.
Furthermore, according to ENISA's "Benefits, risks and recommendations for information security" report, for all cloud models, there is a common set of security responsibilities that rest with the client rather than the provider of the cloud services that is known as the "Identity and Authentication Management System".
Cloud computing provides companies with new options for managing infrastructures and new business models. In particular, it can mean a big improvement for small and medium-size companies, for whom the cloud represents the opportunity to reduce costs in administration and in maintaining proprietary infrastructures, providing them with technological possibilities similar to those of large companies. Doubts over the security and management of these new systems, however, may slow the uptake in the short term.
For this reason, the objectives of the TaaS project focus on three main areas:
- Contribution to the family of IEEE 802 standards for making the handovers between the networks of different providers or even different technologies transparent for the applications.
- Adaptation of the identity and access management (IAM) services to guarantee the security of the services provided in any of the cloud computing models (services for the cloud).
- Adaptation and migration of the trust services so that they can be managed and offered from the cloud, principally, to make them accessible for SMEs and organizations that need them from time to time (services in the cloud).
The outcomes of the first months of work in each of these areas was discussed in the "Cloud Computing, Security and Trust in the Cloud" workshop, which, in addition to the participants of the TaaS project, was attended by representatives from the Spanish chapter of the Cloud Security Alliance and the Universitat Politècnica de Catalunya.
In the workshop, several initiatives were discussed that are being undertaken by organizations such as the Cloud Security Alliance, its Spanish chapter and ENISA, who work on the detection of the security threats emerging in the new cloud-computing scenarios. These organizations are working to define standards and certifications specifically for the cloud.
As in traditional scenarios, user privacy, along with the appropriate management of sensitive user data, has also become one of the main issues for companies and organizations when migrating their applications and systems to the cloud. In the cloud, the responsibility for protecting information also rests with the entity that manages this data (i.e., the provider of the end service), which requires new tools that help it to identify and control user access that are specific to this new scenario.
Another point of discussion was mobility, which is extremely important for the cloud in which mobile devices are of greater importance and more widely used, the main focus of attention being on the handovers that allow maintaining the connectivity of these devices between different networks. There are already standards for mobile networks for making the transfer between operators; the current objective is to achieve that these be make-before-break, intra-domain and intra technology. To achieve this, new protocols are being developed. This work, however, depends largely on the will of the operators, who must share the information required for carrying out a transfer and also the cost, bandwidth, channels, location, operator, etc., in order to offer an optimal service to their clients.
The main conclusion of the workshop is that until standardization and certification initiatives are more firmly implemented—in terms of both organizations and technicians—it is desirable for critical corporate data to be stored in private or hybrid clouds. This gives rise to a possible business model for cloud computing providers in which the transparency of the service and the security of the information are offered as added value in differentiation to more closed platforms. In fact, a feature of cloud-computing infrastructures that is an argument in their favor is that they are protected by security specialists, a role that is not fulfilled internally in many organizations.
The cloud is already a reality for the many companies that have migrated the least critical part of their infrastructure and services. For small and medium-size companies, this migration makes a lot of sense as in the cloud, as well as being able to reduce costs, they also have the opportunity to access technologies and systems that were previously out of reach in a property model.