With the advent of Cloud Computing paradigm there are at least five categories of "Actors" emerged.
1. Cloud Consumers, 2. Cloud Providers, 3. Cloud Brokers, 4. Cloud Auditors, 5. Cloud Carriers. The NIST conceptual reference model gives a nice overview of these. ( http://www.nist.gov/itl/cloud/upload/NIST_SP-500-291_Version-2_2013_June18_FINAL.pdf )
The security of more specifically "Information Security" is a cross cutting concern across all these actors. The CSA publishes top threats regularly here. The top threats 2013 are
- Data Breaches
- Data Loss
- Account Hijacking
- Insecure APIs
- Denial of Service
- Malicious Insiders
- Abuse of Cloud Services
- Insufficient Due Diligence
- Shared Technology Issues
All these threats translate to protecting four major areas of Cloud Architecture...
- Application Access - Authentication and Authorization
- Separation of Concerns - Privileged user access to sensitive data
- Key – Management - of encryption keys
- Data at Rest - Secure management of copies of data
Is there any shortcut to achieve security to any of the actors in the Cloud? I do not think so. The perspective presented by Booz & Co on cloud security has a nice ICT Resilience life clycle that was discussed.
Finally, there was a good discussion on the Reliability and Redundancy. The key aspect was how do we achieve better reliability of a complex IT system consisting of multiple components across multiple layers (i.e., web, application, database) to make best utility of non failing components to share the load while isolating the failure component and decoupling it from the cluster and seamlessly re-balancing the workload to the rest of the working components.
Overall it was a good session to interact with academia!
The slide deck that was used: