Portal de Periódicos da CAPES

Building a Secure Enterprise Model for Cloud Computing Environment

2012; Allied Academies; Volume: 15; Issue: 1 Linguagem: Inglês

1524-7252

Meena Srinivasan,

Cloud Data Security Solutions

ABSTRACT Security is a major concern for enterprises and a good information security framework is essential for the continued success of enterprises that use cloud computing services with vendors. The ISO/IEC 27002 security standard is based on a management systems approach and is the choice of many enterprises for developing security programs. As enterprises are rapidly adopting cloud services for their businesses, measures need to be developed so that organizations can be assured of security in their businesses and can choose a suitable vendor for their computing needs. This research proposes a mechanism for managing security in a cloud computing environment using the ISO/IEC 27002 framework. INTRODUCTION Cloud computing is one of the most attractive technologies that has experienced rapid growth where vendors provide services to enterprises over the Internet. The promising future of cloud can be impeded by security concerns due to the complex nature of the cloud. This research will focus on developing secure measures in the cloud computing environment from an enterprise level perspective. Maturity levels are an effective way for managers in enterprises to measure the effectiveness of security for the organization. A number of security maturity models exist but a good choice is one that is aligned with business needs of an organization (Urquhart, 2010). The ISO/IEC 27002 framework does not have any mandatory requirements and the various categories in this framework will be analyzed for the cloud computing environment. The rest of this paper is organized as follows: Cloud computing is described in section 2 and the available security measures discussed in section 3. The ISO/IEC 27002 framework is explained in section 4. The application of the ISO/IEC 27002 framework to the cloud environment is described in section 5 followed by summary in the last section. WHAT IS CLOUD COMPUTING? In the cloud environment, computing resources are delivered as services to enterprises by vendors. Enterprises can access resources provided by the vendor using the Internet as opposed to hosting and operating them locally. From this simple definition of cloud, one can note that cloud computing offers many benefits. The cloud vendor does the maintenance of hardware and software, and the vendor can provide adequate resources and storage to enterprises if the demand increases. This scalability property is an advantage in cloud computing. Enterprises which use the services of the cloud vendor have an agreement with the vendor. Cloud vendors can offer software, platform, infrastructure, storage or combinations of these as services to enterprises. The enterprises do not have control over many issues in the cloud environment. Security is a major concern for these enterprises as many cloud vendors are not transparent on security matters. It is important that enterprises and the cloud vendors address security issues and have a negotiation referred to as service level agreements (SLA) (Creese, Hopkins, Pearson and Shen,2009). Enterprises need to make sure that SLA negotiations are maintained. In legal issues the enterprise has to take steps to find violations in the SLA (Chapin, Akridge, 2005). In the cloud environment, the exact location of the data is hard to detect and the data may span across different countries and in case of legal issues are subject to laws ofthat nation. Cloud vendors may have multiple tenants and offer multi-tiered services. When enterprises use clouds, there is a high level of risk due to many enterprises or tenants sharing the cloud. The cloud vendor must ensure highest level of security to each of its clients. The cloud service provider may use different sub vendors for their services. A cloud vendor can provide infrastructure services but may use another vendor's service for software and hence the service is multi-tiered. With this of multi-tier service, the risk associated with each tier is high and with different vendors, implementing secure measures is complex. …