Businesses must be aware of the security risks associated with different cloud deployment models, i.e. privae, hybrid or public. To start with, it is important to map out the data flow from the current infrastructure to an eventual cloud service provider, whether in a private or public context. It is essential to understand if and how data can move in and out of the cloud. Having a high-level understanding of the security risks involved also enables businesses to understand which security and risk controls are appropriate to be executed, and to act proactively.
The three primary service modes in cloud computing; SaaS, PaaS and IaaS also represent different security approaches for businesses. In the case of SaaS, the service provider is responsible, or should be, for maintaining acceptable service levels and security, governance, compliance and liability expectations. However, in the case of PaaS and IaaS the customer is responsible for effectively manage the same expecations, while the service provider normally ensures at least some degree of securing the underlying platform and infrastructure components.
CSA also points to the importance of classifying risk in relation to each service mode and location of assets. For example, in a hybrid cloud context, both the customer and service provider can be responsible for the same risks. The problem is that sometimes it is difficult to distinguish between when and who should take accountability. Due to lack of information of security controls maintained by the service provider, customers can also be misguided – potentially leading to wrong decisions and adverse outcomes.
Finally, it should be kept in mind that the security controls in cloud computing are for the most part the same as in any IT environment. Because of the different cloud service models employed and associated technologies used, there may be some different risks present than for traditional IT solutions. As cleverly worded in the the CSA Guidance paper: “Cloud computing is about gracefully losing control while maintaining accountability even if the operational responsibility fall upon one or more third parties”