There's been plenty of confusion about what cloud computing can and can't do for organizations. To help clear the air – and provide guidance to government agencies mandated to move to cloud – the National Institute of Standards and Technology (NIST) issued a set of working guidelines on cloud security and privacy. The guidelines, prepared by Wayne Jansen of Booz Allen Hamilton and Tim Grance of NIST, are meant for agencies and contractors, but provide excellent guidance to private sector insurance organizations as well.
Here's some of the key areas where cloud offers benefits:
Staff specialization: “Cloud providers, just as other organizations with large-scale computing facilities, have an opportunity for staff to specialize in security, privacy, and other areas of high interest and concern to the organization. Increases in the scale of computing induce specialization, which in turn allows security staff to shed other duties and concentrate exclusively on security and privacy issues.”
Platform strength: “The structure of cloud computing platforms is typically more uniform than that of most traditional computing centers. Greater uniformity and homogeneity facilitate platform hardening and enable better automation of security management activities like configuration control, vulnerability testing, security audits, and security patching of platform components.”
Resource availability: “The scalability of cloud computing facilities allows for greater availability. Redundancy and disaster recovery capabilities are built into cloud computing environments and on-demand resource capacity can be used for better resilience when faced with increased service demands or distributed denial of service attacks, and for quicker recovery from serious incidents.”
Backup and recovery: “The backup and recovery policies and procedures of a cloud provider may be superior to those of the organization and may be more robust. Data maintained within a cloud can be more available, faster to restore, and more reliable in many circumstances than that maintained in a traditional data center, and also meet offsite backup storage and geographical compliance requirements.”
Mobile endpoints: “Since the main computational resources needed by cloud-based applications are typically held by the cloud provider, clients can generally be lightweight computationally and easily supported on laptops, notebooks, and netbooks, as well as embedded devices such as smart phones and tablets, benefiting the productivity of an increasingly mobile workforce.”
Data concentration: “Data maintained and processed in a public cloud may present less of a risk to an organization with a mobile workforce than having that data dispersed on portable computers, embedded devices, or removable media out in the field, where theft and loss routinely occur. Carefully constructed applications can restrict access and services to only the data and tasks that correspond strictly with the responsibilities a user needs to accomplish, limiting data exposure in the event of a device compromise.”
Here are downsides to cloud computing, as identified by NIST:
System complexity: “A public cloud computing environment is extremely complex compared with that of a traditional data center. Many components make up a public cloud, resulting in a large attack surface. Besides components for general computing, such as deployed applications, virtual machine monitors, guest virtual machines, data storage, and supporting middleware, there are also components that the management backplane comprises, such as those for self-service, resource metering, quota management, data replication and recovery, service level monitoring, workload management, and cloud bursting.”
Shared multi-tenant environment: “Public cloud services offered by providers have a serious underlying complication—client organizations typically share components and resources with other consumers that are unknown to them. Threats to network and computing infrastructures continue to increase each year and become more sophisticated. Having to share an infrastructure with unknown outside parties can be a major drawback for some applications and require a high level of assurance pertaining to the strength of the security mechanisms used for logical separation.”
Internet-facing services: “Public cloud services are delivered over the Internet, exposing the administrative interfaces used to self-service and manage an account, as well as non-administrative interfaces used to access deployed services. Applications and data that were previously accessed from the confines of an organization’s intranet, but moved to a public cloud, must now face increased risk from network threats that were previously defended against at the perimeter of the organization’s intranet and from new threats that target the exposed interfaces. The performance and quality of services delivered over the Internet may also be at issue.”
Loss of control: “Transitioning to a public cloud requires a transfer of responsibility and control to the cloud provider over information as well as system components that were previously under the organization’s direct control. This situation makes the organization dependent on the cooperation of the cloud provider to carry out activities that span the responsibilities of both parties, such as continuous monitoring and incident response. Under such conditions, maintaining accountability can be more challenging, offsetting some of the potential benefits discussed earlier.”
Joe McKendrick is an author, consultant, blogger and frequent INN contributor specializing in information technology.
Readers are encouraged to respond to Joe using the “Add Your Comments” box below. He can also be reached at firstname.lastname@example.org.
This blog was exclusively written for Insurance Networking News. It may not be reposted or reused without permission from Insurance Networking News.
The opinions of bloggers on www.insurancenetworking.com do not necessarily reflect those of Insurance Networking News.
Register or login for access to this item and much more
All Digital Insurance content is archived after seven days.
Community members receive:
- All recent and archived articles
- Conference offers and updates
- A full menu of enewsletter options
- Web seminars, white papers, ebooks
Already have an account? Log In
Don't have an account? Register for Free Unlimited Access