Security in Cloud Computing

A Microsoft Perspective
January 2010

The information contained in this document represents the current view of Microsoft Corp. on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication. This white paper is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording or otherwise), or for any purpose, without the express written permission of Microsoft. Microsoft may have patents, patent applications, trademarks, copyrights or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights or other intellectual property. 2009 Microsoft Corp. All rights reserved. Microsoft, Bing, Hotmail, Microsoft Dynamics, MSN, and Windows Live are either registered trademarks or trademarks of Microsoft Corp. in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners. Microsoft Corp. One Microsoft Way Redmond, WA 98052-6399 USA

2009 Microsoft Corporation. All rights reserved.

Contents
Cloud Computing Evolution .................................................................................... 3 Cloud Computing Considerations ............................................................................ 4 Cloud Computing Benefits and Challenges ............................................................... 5 Closing ................................................................................................................. 7

2009 Microsoft Corporation. All rights reserved.

Cloud Computing Evolution

The world of information technology is at a transitional moment. Internet-based data storage and servicesalso known as cloud computingare rapidly emerging to complement the traditional model of running software and storing data on personal computers (PCs) and servers. Cloud computing enhances computing experiences by enabling users to access software applications and data that are available on demand and are stored at off-site data centers or at an organizations1 onsite data center, rather than on an individual device or PC. The term cloud computing is not radically new and some services have long been offered in the cloud. E-mail, instant messaging, business software, and Web content management are among the many applications that are offered via a cloud environment. Many of these applications have been offered remotely over the Internet for a number of years, which means that cloud computing might not feel markedly different from the current Web for most people. (Technical readers will rightly cite a number of distinct attributesincluding scalability, flexibility, and resource poolingas key differentiators of the cloud. These types of technical attributes will not be addressed here as they are outside the scope of this document.) For example, traditional e-mail services run in provider data centers, with user data shared on e-mail servers. But these older cloud services lack some of the key characteristics of the new cloud. They are mainly mainstream software as a service models in the public cloud, in which the provider controls everything from the underlying hardware to user authentication. Users cannot host their own applications and their elasticity is limited. In addition, users are given finite storage space. The term cloud computing refers to several different computing paradigms, not all of which are completely new. For example, as the United States Institute of Science and Technology (NIST) has explained,2 cloud computing has three service models: 1) Software as a Service, through which applications are provided in the cloud; 2) Platform as a Service, through which a cloud provider permits users to create or run applications using languages and tools supported by the provider while the provider delivers the underlying infrastructure such as servers, operating systems, or storage; and 3) Infrastructure as a Service, through which a customer can deploy a computing infrastructure similar to a virtualized environment. The essential characteristics of all three models include self-service (a customer can access new capabilities), shared resources, and rapid elasticity (e.g., as a business grows, it can rapidly add additional processing power and storage). Cloud services can be delivered as private clouds operated solely by or for one organization, community clouds for organizations with similar service requirements, and public clouds where there is one general service level agreement and data resides on shared resources. The cloud model is far more flexible and interesting, and has important implications for security and privacy-increasing security in certain areas but posing new risks as well.
1
2

For the purposes of this document, an organization broadly describes a governmental or business entity, group, or team http://csrc.nist.gov/groups/SNS/cloud-computing/

2009 Microsoft Corporation. All rights reserved.

Services that operate in the cloud often work in tandem with a client application operating on the desktop computer. For example, instant messaging and e-mail applications running on a computer rely on the cloud infrastructure for their connected features and also require a client download. The combination of client plus cloud offers individuals, governments, and businesses greater choice, agility, and flexibility while also greatly increasing efficiency and lowering information technology (IT) costs. It gives customers access to information, software, and services at lower cost and on a range of intelligent devicesfrom PCs to mobile phones to televisions. As a result, this next generation of computing has enormous potential to create new business opportunities and economic growth. As with other major technological transitions, the evolution of cloud computing has drawn widespread attention and scrutiny in the news media. It has also raised policy questions concerning how people, organizations, and governments handle information and interactions in this environment. However, with regard to most security and data privacy questions, cloud computing reflects the evolution of the Internet computing experiences we have long enjoyed, rather than a revolution. This paper examines, at a high level, the changes that this evolution will likely bring to computer security and includes benefits as well as challenges.

Cloud Computing Considerations

To understand how cloud computing differs from traditional computing requires both an understanding of the cloud shift and careful thought about how this new computing model affects businesses and consumers. The shift toward cloud computing has been underway for a number of years as part of an ongoing evolution. Previously, information was stored largely in paper files in file rooms or off-premises storage and delivered in person or through inter-office mail systems. Today, most data is stored on computer servers outside the users immediate physical control and shared across international and organization boundaries with multiple sources via new tools like email, collaborative websites, and social networking. A key distinction of cloud computing is that information storage and processing need not be limited by space or geography. Indeed, cloud computing users typically dont even need to know how many virtual filing boxes they will need because the available space and processing power scales to meet their needs. By moving business applications or processes to the cloud, organizations may experience changes to established IT practices. The off-premises cloud offers many potential advantages, including security improvements. Yet there are, in fact, some important differences between the old world and the new, and organizations need to consider these differences in business planning and risk management. What are some of the important differences between the cloud and the existing IT model, and how should companies address those differences in their business planning? In the traditional enterprise, an organization is responsible for all aspects of its people, processes, and technology. The enterprise purchases the hardware, licenses the software, secures the data centers that house them, and hires the people to run it.

2009 Microsoft Corporation. All rights reserved.

As a result, an organization is responsible for managing: 1) The physical location of the data center (affecting which countrys law applies); 2) The security of the data center; 3) The trustworthiness of system administrators; and 4) The documented information security program that protects the confidentiality, integrity, and availability of data and systems, including, but not limited to, configuration, patching, incident response, and business continuity management. By contrast, particularly in non-private clouds, many of these functions will be handled by a cloud provider. Physical security for the data center will be managed by the cloud provider, and system administrators may be employees of the cloud provider, not the organization using the cloud. One could argue that this may be new for some, but not for those who have already outsourced critical IT functions to third parties. However, there are elements of cloud services that represent wholesale change. For example, to make cloud services capable of expanding flexibly, hardware will be shared and the security boundary between different organizations may be virtual (virtualized compartments) as opposed to physical (different hardware). Additionally, the on-the-fly allocation of additional resources might mean that the geographical location of data may be based on scalability and availability or other factors versus security and jurisdictional considerations, especially when a cloud provider has data centres in multiple jurisdictions. While selecting which resources to use without concerns about physical location could lead to some efficiencies, there may also be uncertainty as to which sovereign law will apply to handling the data. Additionally, individuals in a government or enterprise may decide on their own to sign up for a cloud service without consulting their IT department, leaving the company exposed to unmanaged risks. It is therefore important that organizations think clearly about the implications of cloud computing and address those implicationsbefore embracing the cloud. In that regard, we offer some general observations and some specific challenges to consider.

Cloud Computing Benefits and Challenges

Cloud computing affects the security of organizations in several ways. One positive aspect of cloud computing, as mentioned above, relates to the application of skilled resources. The fact is, technology has spread around the globe far faster than people could be trained to manage it well, even where technology solutions were created in a secure manner with secure defaults. The aggregated assets handled by a cloud service operator take on new importance because of the scale of the data in their control. However, cloud service providers investments in security personnel and practices work to the benefit of all cloud customers. Another positive benefit of cloud services relates to centralized data stored in large data centres, which can be accessed from anywhere and is much easier to manage and protect than massive decentralized data stores. For example, the use of data centers can minimize the risk of losing critical company data that might otherwise be stored locally on a laptop computer or device, which can easily be stolen or misplaced.

2009 Microsoft Corporation. All rights reserved.

On the other hand, a cloud computing model also presents different risk management challenges. The reliance on remote cloud services places a renewed importance on the resiliency and availability of both the communications that connect the enterprise to the data center, and the availability of the cloud service. Organizations must fully assess their needs and the capabilities of their carriers and cloud service providers. To the extent that quantities of data from many companies are centralized, this collection can become an attractive target for criminals. Moreover, the physical security of the data center and the trustworthiness of system administrators take on new importance. While decentralization may have created its own challenges, aggregating the data today increases the potential damage that could be caused when a data store is compromised. The aggregation of data also raises new privacy issues. Some governments may decide to search through data without necessarily notifying the data owner, depending on where the data resides. Apart from governments, a question exists as to whether the cloud provider itself has any right to see and access customer data. Some services today track user behaviour for a range of purposes, from sending targeted advertising to improving services. Interesting jurisdictional challenges for both security and privacy will also arise. Assume, for example, a hacker breaks into Cloud Provider A and steals data from Company X. Assume, too, that the compromised server also contained data from Companies Y and Z. Who investigates this crime? Is it the Cloud Provider, even though Company X may fear that the provider will try to absolve itself from responsibility? Is it Company X and, if so, does it have the right to see other data on that server, including logs that may show access to the data of Companies Y and Z? It is impossible, of course, to review and consider all of these areas and specific questions today. It might even be impossible to know all the questions today. But understanding these issues does allow those thinking about cloud services to ask some very pointed questions about whether to embrace the cloud and, if so, how. The first fundamental question relates to the type of cloud an organization should embrace. If an organization wants to retain control over the physical assets and personnel operating the cloud, this would suggest a private or community cloud offering managed by the enterprise itself or by a trusted third party. If, by contrast, an organizations risk management approach focuses less on direct control over physical assets and the operational personnel, it may seek to reduce costs and increase flexibility by outsourcing operations through cloud services. The key is to understand which pieces will be retained and which will be managed by others. For example, an organization using the data center and personnel of a cloud provider is essentially outsourcing those functions and should ask traditional outsourcing questions. What are the security and privacy policies of the outsourcer? How are they enforced? Is there transparency into these processes and are there trusted external certifications? Are they regularly audited? What happens in the event of an incident? There are also new questions to ask, such as: How does the elasticity offered by the provider affect the geographical location of where my data might be stored? An organization also needs to know what functions it wants to continue to control. For example, who gets to decide what authentication mechanisms are used to access applications and data in the cloud? Is it the cloud service provider, the cloud customer, or some third party? How does ad hoc collaboration work in this environment?

2009 Microsoft Corporation. All rights reserved.

Finally, it is worth noting that many people view the cloud as two simple categories: private or public. But even today we are already in a much more complex environment, which includes various hybrid models. An organization might have a business application(s) managed on-premises, managed in a community cloud, or potentially distributed across different public cloud providers. The choice or choices made will have a significant impact on the security approach taken, and the ability to move data and applications into the cloud or back to on-premises management.

In Closing
Client-plus-cloud computing offers enhanced choice, flexibility, operational efficiency, and cost savings for governments, businesses, and individual consumers. To take full advantage of these benefits, reliable assurances regarding the privacy and security of online data must be provided. In addition, a number of regulatory, jurisdictional, and public policy issues remain to be solved in order for online computing to thrive. Microsoft has been addressing many of these issues since 1994, when the company delivered its first online services for consumers and enterprises. A breadth of experience over multiple years has shaped the companys adherence to the security development lifecycle for secure coding design, development, and deployment. Microsoft also has delivered a set of privacy principles that apply to products and services, while ensuring corporate privacy policy compliance, product and service development excellence, and overall business practices rigour. These components anchor Microsofts commitment to maintaining the highest standards of privacy and security in online services and partnering with other industry leaders, governments, and consumer organizations to develop globally consistent security and privacy frameworks that increase the economic and social value of cloudbased computing.

2009 Microsoft Corporation. All rights reserved.