Cloud Security Requirements
Posted: Thu Feb 13, 2025 4:02 am
Let's look at these issues in more detail, based on material by Sonja Gresser, client systems architect at IBM Security Software, which was recently published in the online publication IBM Security Intelligence.
Cloud application security is a multi-variable task. Effective protection involves ensuring confidentiality of data exchange, control of integrity, availability, authenticity, data identifiability, verification of authenticity and personal ownership.
But this list of requirements is unlikely to surprise anyone: they are classic for building defense for traditional corporate systems. Their transfer to cloud systems is obvious, but it cannot be done directly: saudi arabia whatsapp data architectural solutions and different models of using cloud services coexist in the cloud. And the clients of cloud services themselves have different security requirements. Therefore, there is no single universal solution, and they have to be adapted individually for each project.
The "legislator" in developing rules for the management and control of cloud corporate systems today is ISACA - an international organization dealing with issues of accumulation of knowledge on security in various areas of IT, their application for corporate systems, certification, training. There was developed a set of rules (COBIT), prescribed for execution in the corporate sector for the implementation of the necessary quality and security of their information systems, taking into account the emerging risks and to ensure the necessary degree of control.
Security controls for corporate IT systems in the cloud are divided into four levels:
1) control over the work of users;
2) information protection;
3) application protection;
4) infrastructure security.
In practice, there are three cloud models today: IaaS, PaaS and SaaS. However, real cloud projects often have a more complex configuration and represent a combination of elements of several cloud models.
The security problem in this case is projected as follows. With IaaS, the cloud provider takes on the functions of providing a reliable hardware infrastructure and supporting virtual systems, while the user is given the role of an administrator managing network and system configurations, application systems and data.
With PaaS, the provider is responsible for ensuring security for the infrastructure, including responsibility for the security of all middleware-class system components (e.g., databases). The user retains control over the security of applications and data.
Cloud application security is a multi-variable task. Effective protection involves ensuring confidentiality of data exchange, control of integrity, availability, authenticity, data identifiability, verification of authenticity and personal ownership.
But this list of requirements is unlikely to surprise anyone: they are classic for building defense for traditional corporate systems. Their transfer to cloud systems is obvious, but it cannot be done directly: saudi arabia whatsapp data architectural solutions and different models of using cloud services coexist in the cloud. And the clients of cloud services themselves have different security requirements. Therefore, there is no single universal solution, and they have to be adapted individually for each project.
The "legislator" in developing rules for the management and control of cloud corporate systems today is ISACA - an international organization dealing with issues of accumulation of knowledge on security in various areas of IT, their application for corporate systems, certification, training. There was developed a set of rules (COBIT), prescribed for execution in the corporate sector for the implementation of the necessary quality and security of their information systems, taking into account the emerging risks and to ensure the necessary degree of control.
Security controls for corporate IT systems in the cloud are divided into four levels:
1) control over the work of users;
2) information protection;
3) application protection;
4) infrastructure security.
In practice, there are three cloud models today: IaaS, PaaS and SaaS. However, real cloud projects often have a more complex configuration and represent a combination of elements of several cloud models.
The security problem in this case is projected as follows. With IaaS, the cloud provider takes on the functions of providing a reliable hardware infrastructure and supporting virtual systems, while the user is given the role of an administrator managing network and system configurations, application systems and data.
With PaaS, the provider is responsible for ensuring security for the infrastructure, including responsibility for the security of all middleware-class system components (e.g., databases). The user retains control over the security of applications and data.