A: There are two primary classes of risk that arise from a cloud computing environment with respect to security.

One is that when an enterprise outsources a large part of its operations to another party, there is an increase in dependency on the provider. Enterprise CIOs need to retain enough visibility on how their data is managed in the cloud environment and have confidence on the practices followed by the cloud service providers.

Cloud providers are addressing the security issues by getting certifications and undergoing security risk audits. However, risks exist and these need to be managed by the CIO.

The second risk is of improper separation between various cloud customers. This risk is the result of having a shared or multi-tenant infrastructure in the cloud. So we have data of multiple customers residing on a single physical server. Some of these customers could be competitors or hackers trying to break in the cloud.

CIOs have to depend on the ability of the cloud providers to set a high bar for securing their data and to provide adequate separation between the customers. Separation is of high importance in a cloud environment because of the sharing of infrastructure like servers, network and storage with other customers.

A: Well, exactly. It is one thing to talk about and another to execute it with perfection. CIOs cannot accept the happy promises of the cloud providers as being factual. They need to use the best practices of the industry and ensure that the necessary protection is  in place.

I would advise CIOs who are considering moving to a cloud environment to refer to the Cloud Security Alliance (CSA) guidance in all of the different areas related to cloud security, specifically with respect to separation, as this is an area where different providers have varied approaches.

A: The various cloud model approaches are related to different layers and the types of services offered. There are three kinds of cloud service providers. The first offer Software-as-a-Service (SaaS), the second provide Platform-as-a-Service (PaaS) and the third offer Infrastructure-as-a-Service (IaaS). We can think of these services as various layers on which the cloud providers offers their services.

SaaS providers provide services till the application layer and it is their responsibility to provide security features wherever it is needed. The separation, in most of the cases, is provided at the application layer in the architecture. The risk in providing separation at the application layer is that it will only take a simple programming or configuration error to open the doors for other customers or hackers to access data.

An example to support this was the situation that Google had with their Google Docs service where they accidentally gave access to customers’ documents.

In PaaS, the customer provides the applications that run on top of the platform supplied by the cloud provider. In this scenario, the cloud provider’s platform is responsible for providing the separation. The good thing about this service is that instead of having an application layer, we have a lower level that is more fundamental in form to ensure separation between various customer data.

In IaaS, the cloud providers provide the lowest level of service but this also ensures the maximum level of secure separation between customer data. The virtual machines used by different customers are separated by a hypervisor or a virtual machine monitor. This hypervisor is designed exclusively to provide separation.

A: There are several aspects and I must admit that I am not a legal expert on either international or Indian law.

However, looking at it from an abstract perspective, the cloud model is similar to an outsourcing model. When a contract is drafted between the customer and the cloud provider, one needs to be careful that appropriate provisions are included in the contract for liability.

It is important that this liability be commensurate with the responsibility and authority of both the parties. So a SaaS provider should take equivalent responsibility from a legal perspective. They should not wash their hands off it and put the onus on the customer in case of any breach. For an IaaS provider, the level of their liability and responsibility should be lower.

The other issue with this legal process is the jurisdiction. If the services are provided from a different location or country then you are in the hands of international law and this complicates matters immensely. So enterprises normally would prefer having the services hosted in a jurisdiction that they are comfortable with, either in their own country or in locations where they have a strong presence.