NIST provides some recommendations when using a public cloud. This excellent document gives very practical guidelines. Every IT manager who plans to use a public cloud infrastructure, and who cares about reliability, security and liability, should read it before making any decisions and selecting the right service provider.
In front of the economic benefits of public cloud, it is extremely difficult to resist to the songs of the mermaids. This document rises some serious issues and may help to keep the things under control. For instance:
- Even if you are using a public cloud, your company is accountable for the overall security of your service, i.e. even that of the outsourced part.
- As the cloud computing infrastructure is highly uniform, it should be in theory easier to harden the platforms and manage its security (which is a positive point for IaaS). Unfortunately, the use of hypervisors (virtual machines) increases the surface of attack (although many people believe that virtual machines are more secure)
- Sharing an infrastructure with unknown parties is a potential issue. A strong assurance should be provided for the mechanism enforcing the logical separation.
- Be ready to audit your service provider if security matters to you.
A must read paper if you are about to board on the cloud boat. The paper is about public cloud. Nevertheless, some parts are also useful in the context of private cloud.
Reference
W. Jansen and T. Grance, Guidelines on Security and Privacy in Public Cloud Computing, NIST, 2011 available at http://csrc.nist.gov/publications/drafts/800-144/Draft-SP-800-144_cloud-computing.pdf.