Keys to achieving trust and accountability in the cloud

You’ve read or heard the news….Sony, Lockheed and other big organizations are hacked; Amazon’s cloud goes down.  The FBI shuts down servers in its mission to take down the LulzSec hackers. It’s no wonder CIOs and IT leaders are nervous aboutcloud computing security and data in the cloud. 

 

Earlier this year, I reported on a CIO.com and IDG survey of more than 450 IT professionals.  What was the number one challenge of cloud computing according to survey participants?  You guessed it—security.  A whopping 71 percent of enterprises placed security among their top three concerns.  The second and third most cited challenges are concerns about information access and concerns about information governance

 

 

This lack of confidence is a key inhibitor to cloud computing and threatens to undermine the pace at which cloud is endorsed and implemented by organizations.  What’s needed is research and a framework or conceptual model for accountability and trust in cloud computing. The smart innovators at HP Labs are doing just that, putting their minds, experience and knowledge to work to address these issues of trust, security and privacy in clouds.

 

Research in cloud accountability needed

While much research and innovation has gone into preventive controls for security and privacy in the cloud, the TrustCloud research led by HP Labs Singapore found that few are focusing on detective controls around the areas of cloud accountability and auditability. Detective controls are those that identify privacy or security risks that go against the privacy and security policies and procedures of an organization.  Detective approaches complement preventive approaches as they enable the investigation not only of external risks, but also risks from within the Cloud Service Provider (CSP). Detective approaches can also be applied in a less invasive manner than preventive approaches. Here are two examples of detective controls:

 

  1.     an intrusion detection system on a host or network
  2.    security audit consisting of trails, logs and analysis tools

 

The TrustCloud framework

 cloud trust diagram2.jpgIn addition to detective controls, HP researchers have developed a conceptual model—the TrustCloud framework—that potentially can be used to give cloud users a single point of view for accountability of the CSP. They examined accountability in the cloud from all aspects, using the Cloud Accountability Life Cycle.  The lifecycle consists of seven phases of cloud accountability that include policy planning, sense and trace, logging, safekeeping of logs, reporting and replaying, auditing and optimizing and rectifying. Then they examine the five layers of cloud accountability and recommend the technical and policy-based approaches for each layer that will help to achieve a trusted cloud.  These five layers include:

 

1.      System Layer

2.      Data Layer

3.      Workflow Layer

4.      Laws & Regulations

5.      Policies

  

What’s next? The researchers are currently researching and developing solutions for each layer, with one example being a logging mechanism for the system layer of cloud accountability.

 

To learn more about achieving a trusted cloud through the use of detective controls and the TrustCloud framework, which addresses accountability in cloud computing via technical and policy-based approaches, download the technical report. 

 

 

Related links:

 

 

 

Leave a Comment

We encourage you to share your comments on this post. Comments are moderated and will be reviewed
and posted as promptly as possible during regular business hours

To ensure your comment is published, be sure to follow the Community Guidelines.

Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
Search
Showing results for 
Search instead for 
Do you mean 
About the Author
Judy Redman has been writing about all areas of technology for more than 20 years.
Featured


Follow Us
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.