It is very difficult to assess the implementation of security measures by cloud vendors given the paucity of information provided by the vendors themselves.
Many vendors document the use of SSL and HTTPS but do not offer informa-tion about any other technologies used. Standard cloud system technologies should be defined and introduced in the near future.
Cloud vendors usually provide information about service level agreements and the safeguarding of privacy. However, this information is often so vague that it is only possible to speculate on the way in which it is actually used. When it comes to assessing user privacy a distinction must be made between those enterprises which store data in the European Union and those which store data in the USA – different rules and regulations apply in each case. The Safe Harbor Framework and the TRUSTe program are helpful in this context, although not all cloud vendors – i.e. CohesiveFT or RightScale – have accepted these data
6 Cloud services and their security functions
privacy principles. Another important point is the measurement of time and volume based values and the monitoring of contractually agreed service quality.
Cloud vendors already use metering procedures, but the measured values are not transparent for cloud users.
Until such time as statutorily mandatory standards apply to cloud systems, users would be well advised to assess all cloud vendors very carefully before using their services. Such an assessment should cover the most important security aspects discussed in chapter 5.
7 Summary and outlook
In recent years cloud computing has become an important buzzword referring to the provisioning of IT services on remote resources and their procurement from, in most cases, public networks. Cloud proliferation is accompanied by a permanent revolution in the services launched on the market by vendors. In this context particular attention is merited by the security functions which are offered by cloud services.
The discussion in the previous chapter reveals a very mixed picture as far as the security aspects of cloud services are concerned. Essential security functions which use known technologies are also used in cloud computing systems to encrypt a data channel, for example. Vendors do differ quite radically in some cases, however, in terms of the security features they support. The lack of a standardized security configuration also makes it difficult to compare different vendors.
The following sections summarize the findings of the study and look ahead to some of the issues which will need to be resolved in order to provide efficient and user-friendly cloud computing services in the future. This section concludes by outlining the services offered by Fraunhofer AISEC in the field of cloud com-puting security.
7.1 Study findings
The study comes to the following conclusions:
• The structure of cloud computing systems comprises four layers – end user, software, platform, and infrastructure – and the players acting on these layers form a very complex IT security framework. This study de-scribes all the key layers and players that must be examined, depending on the application and the selected cloud service.
• Certified tools based on cloud services are essential for cloud computing systems to increase the portability and interoperability of individual cloud service offerings. Standardization bodies, reference implementations, and development environments adapted to cloud computing systems must exist for this purpose.
7 Summary and outlook
• The cloud security taxonomy provides a clearly structured framework of the security areas that should be considered when using cloud services.
Owing to the rapid development pace of both the technologies and the existing services, the application of the cloud taxonomy should be project based and the weighting accorded to individual security areas adapted to the specific requirements in each case.
• Modern cloud service portfolios clearly use a whole series of security tech-nologies already, especially on the infrastructure layer. On the other hand, when it comes to architecture, administration, and compliance, cloud ven-dor support for security technologies is not yet adequate to achieve the stipulated protection goals. More detailed analyses are called for here to identify which current technologies are potentially suitable and determine whether new technologies need to be developed. There is a trend toward procuring certain security functions, such as parts of the identity or access management functionality, as a service from specialist vendors.
• On the administration side, service level agreements are an important in-strument for specifying all the rights and obligations that exist between cloud users and cloud vendors. The standardized service level agreements offered at present, which are not normally freely negotiable by cloud users but can simply be either accepted or rejected, provide only minimal guarantees regarding cloud service quality. In particular, the security guar-antees contained in these agreements are very rudimentary, and need to be extended in order to achieve the above-mentioned protection goals.
Systems to facilitate automatic monitoring and testing of the agreed ser-vice quality criteria are also essential.
• From the compliance perspective, there are no objections to the use of cloud services. However, the responsibility for the data concerned usually lies with the cloud user, who needs to define precise guidelines stating which information is allowed to be stored and processed in a cloud ser-vice and how, and simultaneously specifying the necessary security func-tions. From a legal viewpoint, too, the restrictions to which certain data is subject and the use of specific cloud services should be separately consid-ered in each case.
• The market overview in chapter 6.1 gives a general rundown of selected cloud services together with their prices and functionalities. The taxon-omy of secure cloud computing is then applied to these services and their security functions assessed. It is fair to say here that information about the implemented security functions is not adequately documented by cloud vendors. In many cases, security plays only a minor role when they present their services, so that detailed information should be requested from the vendor upfront of choosing or using a specific cloud service. If appropriate, a proof of concept should be realized before the service is actually put to productive use.
7 Summary and outlook