74
ENISA
29
,
the Cloud Security Alliance (CSA)
30
and in 'Security
Recommendations for Cloud Computing Providers'.
So what are the 7 key preventative measures that a Cloud computing user
can take to avoid or reduce the associated security risks?
Define the level of data protection
When creating or transferring data in the Cloud, the user must classify his
data (e.g. normal, high, extremely high security level), analyse his security
requirements and define how the Cloud provider should store and transfer
what data. This may involve the use of certain encryption processes or a
sophisticated privileges scheme for access to certain information. In
addition, the data should also be defined in relation to the Cloud provider's
security standards.
Secure storage of data in the Cloud
Stored data are encrypted using different algorithms (e.g. Advanced
Encryption Standard (AES)) and key lengths (e.g. 256 bits). As a rule of
thumb, the stronger the encryption process, the more secure the data. The
level of encryption must still be tested and improved from time to time.
With all the benefits of encryption, key management remains the
responsibility of Cloud service users. If they lose their keys, they also lose
their encrypted data. If their keys are compromised, the security of their
data may be compromised as well. Customers must therefore weigh up their
key management options and implement procedures to minimise these
dangers. In addition, the problem of processing data in encrypted form still
remains to be solved. There have been some advances in homomorphic
encryption. However, the only current solution is to encrypt the data prior
to further processing.
Secure transfer of data in the Cloud
Besides the secure, isolated storage of data, the secure transport of
customers' data in the Cloud and between Cloud computer centres plays an
important role. (e.g. via (SSH), Internet Protocol Security (IPSec), Transport
29
Catteddu, D. and Hogben, G., editors. 'Cloud Computing: Benefits, risks and recommendations
for information security'. The European Network and Information Security Agency (ENISA), 2009.
30
Brunette, G. and Mogull, R., editors.
Security Guidance for Critical Areas of Focus in Cloud
Computing
V2.1. Cloud Security Alliance, 2009. Cloud Security Alliance (2010)