Despite recognizing the value of the cloud, concerns over infrastructure security remain.
Despite recognizing the value of the cloud, many within the Five Eyes community – and beyond – also harbor concerns over infrastructure security, including storage location, encryption, access to data and encryption keys, and high-level data sovereignty.
Cloud computing delivery models have varying security requirements. In the case of Software as a Service (SaaS), the cloud provider deploys, configures, maintains and updates the operation of the software applications.
For complete end-to-end security, the success of Software as a Service (SaaS) relies on Platform as a Service (PaaS), which in itself relies on Infrastructure as a Service (IaaS), with all three layers secure and fully integrated. Security must extend to the database, operate 24/7, with end-to-end encryption applied for all data whether at rest or in transit. Confidence in the cloud will only grow once advanced persistent threats (APTs), such as Heartbleed and Venom, are countered.
Security issues arise from complex environments caused by application fragmentation, interfaces and distributed data. In-depth, layered security (through archive, middleware, hardware, software, and mobile front-end-to-user) is critical to manage external or internal threats. Evolving technologies such as client assurance and security monitoring systems complement identity management. Additional measures such as data vaults, data labelling and end-to-end encryption provide further assurance.
At the recent Oracle Open World 2015, CEO Larry Ellison outlined a new direction for cloud security and technology at the chip level. The key to success is fusion between the cloud layers, with security flowing seamlessly through the entire stack. Security encryption is always on and has limited/zero effect on performance. At the chip level, the new M7 chip locks memory storage, which can only be accessed by an encryption key. Any attempt by an advanced, package tool (APT – a free software user interface) to access the memory without a key is blocked and alerted. The keys themselves are stored in a ‘key vault’ maintained by the client on its own site. All data is encrypted, including test and development and back-up recovery. Data masking must also be added for internal database work in the test and development environment along with a database firewall to prevent structured query language (SQL – a special-purpose programming language) injection.
The ultimate question for a prospective cloud vendor should be: “can you see our data?” If the answer is “yes” then the cloud is not secure.
© 2018 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.