Reimagining Cloud Security in the Indian Context
Enterprises are leveraging the power of software to modernise their IT infrastructure to run operations with tranquility, drive extreme automation, re-imagine legacy business processes and remain agile through an ideal mix of public, private and hybrid clouds. All this, while proactively countering the growing security threat landscape and optimising the cost of operations.
In this emergent Indian cloud ecosystem, Security, Privacy and Trust Challenges are increasingly relevant. Therefore, cloud computing is of increasing interest and importance to policymakers, regulatory authorities, telecom operators and enterprises.
Opportunities and threats
First and foremost, the Indian regulator needs to develop a pan-Indian ‘cloud strategy’ that will serve to support growth and jobs and build an innovation advantage for India. However, the concern is that currently a number of challenges and risks with respect to security, privacy and trust exist that may undermine the attainment of these policy objectives.
At the outset itself, it will be important to undertake an analysis of the technological, operational and legal intricacies of cloud computing, taking into consideration the Indian dimension and the interests and objectives of all stakeholders (citizens, individual users, companies, cloud service providers, regulatory bodies and relevant public authorities).
This article represents an evolutionary progression in understanding the implications of cloud computing for security, privacy and trust. As such, we intend to offer additional value for policymakers beyond a comprehensive understanding of the current theoretical or empirically derived evidence base which will understand the cloud computing and the associated open questions surrounding some of the important security, privacy and trust issues.
Enterprises should evaluate and manage the security of their cloud environment with the goal of mitigating risk and delivering an appropriate level of support. These include: ensuring effective governance, risk and compliance processes; audit operational and business processes; manage people, roles and identities; include proper protection of data and information and implementing privacy policies; assess the security provisions for cloud applications; and understand the security requirements of the exit process
Managing the new cloud environment
Data is at the core of information security concerns for any organisation, whatever the form of infrastructure that is used. Cloud computing does not change this, but cloud computing does bring an added focus because of the distributed nature of the cloud computing infrastructure and the shared responsibilities that it involves. Security considerations apply both to data at rest (held on some form of storage system) and also to data in motion (being transferred over some form of communication link), both of which may need particular consideration when using cloud computing services.
There are two categories of accounts in cloud platform operation and maintenance: one is the operation and maintenance staff personal accounts, such accounts can be used user ID to log identifies VPN, fortress machine, and achieve strong audit log. Another is a technical account, such an account is a shared account. For routine or emergency operation and maintenance, it can be bound to an individual or operation and maintenance team.
There are a growing number of specifications and standards which relate to privacy and the protection of PII. One of the most significant for the use of cloud services is ISO/IEC 27018 – "Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors." As its title implies, it specifically covers public cloud services which are processing PII. ISO/IEC 27018 is based on the ISO/IEC 27001 information security management system standard and on the set of security controls found in the ISO/IEC 27002 standard. These standards provide the underlying security foundation for the processing of PII in a cloud service. ISO/IEC 27018 extends these standards with an additional set of controls based on the privacy principles of the ISO/IEC 29100 standard – Privacy Framework, which describes the processing of PII generally and which should itself also be consulted by cloud service customers: From a security perspective, it is important that once the customer has completed the termination process, "reversibility" or "the right to be forgotten" is achieved - i.e. none of the customer's data should remain with the provider.
The provider must ensure that any copies of the data are wiped clean from the provider's environment, wherever they may have been stored (i.e. including backup locations as well as online data stores). Note that other data held by the provider may need "cleansing" of information relating to the customer (e.g. logs and audit trails), although some jurisdictions may require retention of records of this type for specified periods by law.
If the above are implemented well, then Indian enterprises will be able to leverage the best of the cloud environment in an Indian context.