Addressing concerns over cloud security

Addressing concerns over cloud security

Despite recognizing the value of the cloud, concerns over infrastructure security remain.

Related content

Officer working on laptop

Despite recognizing the value of the cloud, many within the Five Eyes community – and beyond – also harbor concerns over infrastructure security, including storage location, encryption, access to data and encryption keys, and high-level data sovereignty.

Cloud computing delivery models have varying security requirements.  In the case of Software as a Service (SaaS), the cloud provider deploys, configures, maintains and updates the operation of the software applications.

Cloud solutions from public to private

Source: KPMG International, 2016.

For complete end-to-end security, the success of Software as a Service (SaaS) relies on Platform as a Service (PaaS), which in itself relies on Infrastructure as a Service (IaaS), with all three layers secure and fully integrated.  Security must extend to the database, operate 24/7, with end-to-end encryption applied for all data whether at rest or in transit. Confidence in the cloud will only grow once advanced persistent threats (APTs), such as Heartbleed and Venom, are countered.

Security issues arise from complex environments caused by application fragmentation, interfaces and distributed data.  In-depth, layered security (through archive, middleware, hardware, software, and mobile front-end-to-user) is critical to manage external or internal threats.  Evolving technologies such as client assurance and security monitoring systems complement identity management. Additional measures such as data vaults, data labelling and end-to-end encryption provide further assurance.

Is fusion technology the answer?

At the recent Oracle Open World 2015, CEO Larry Ellison outlined a new direction for cloud security and technology at the chip level. The key to success is fusion between the cloud layers, with security flowing seamlessly through the entire stack. Security encryption is always on and has limited/zero effect on performance. At the chip level, the new M7 chip locks memory storage, which can only be accessed by an encryption key. Any attempt by an advanced, package tool (APT – a free software user interface) to access the memory without a key is blocked and alerted. The keys themselves are stored in a ‘key vault’ maintained by the client on its own site. All data is encrypted, including test and development and back-up recovery. Data masking must also be added for internal database work in the test and development environment along with a database firewall to prevent structured query language (SQL – a special-purpose programming language) injection.

The ultimate question for a prospective cloud vendor should be: “can you see our data?” If the answer is “yes” then the cloud is not secure.

Key questions

  • What steps are you taking to increase the security of your cloud services?
  • Are you comfortable outsourcing to an offsite cloud provider?

Connect with us

 

Request for proposal

 

Submit

KPMG's new digital platform

KPMG International has created a state of the art digital platform that enhances your experience, optimized to discover new and related content.