Toward Cloud Security: Understanding Your Control Levels


Winston Saunders has worked at Intel for nearly two decades and currently leads server and data center efficiency initiatives. Winston is a graduate of UC Berkeley and the University of Washington. You can find him online at “Winston on Energy” on Twitter

As adversaries have become better organized and more aggressive, threats to sensitive data have increased. In addition, the security of cloud computing is a growing concern as more data moves from traditional data center environments to cloud-based services.

A recent study by Georgia Tech found that few businesses engage security measures beyond those provided by the cloud provider. While a fire-and-forget model may be sufficient for less sensitive data, it’s appropriate to ask and even re-ask whether protections in all data environments are adequate to prevent undesired outcomes.

Security Depends on the Type of Cloud

In-house data centers and private cloud data centers provide direct visibility to the controls that are in place because ownership is clear. In public cloud environments, the situation may be very different. And since there are generally multiple control levels to consider, even asking “who owns what level” can be important to understand.

The U.S. Federal Government FedRAMP program articulates multiple security considerations in selecting a cloud services. For the sake of this article, I’ll just focus on understanding the implications of two of them: the type of cloud service planned and accountability.


The table illustrates how the choice of cloud service model affects (and may cloud) responsibility for important aspects of security. For instance, physical security is a countermeasure to attacks resulting from physical access to the server or network itself. Theft, unauthorized operation, side channel attacks (PDF), and insertion of malicious files or devices are just some of the physical attacks to worry about. In a business risk assessment, both the likelihood of such an attack and what control the user requires are important consideration in selecting the type of cloud solution.

Similar arguments can hold for the other categories. For workload and data protection, a concern might be what encryption standard is implemented who controls it. Depending on the sensitivity of data, ensuring encryption standards provide adequate protection is certainly a key consideration.

One can write paragraphs on each all of the line items above. Indeed they may make for interesting blogs if there’s interest expressed in the comments. But I think for now the point is made.

A table similar to this one was introduced to the WG4 Cloud Computing Standards discussion at the ISO/IEC JTC 1/SC 27 Meeting In Hong Kong, 7-15 April 2014. While the table simplifies responsibilities it highlights the complexity of roles and responsibilities in security in cloud computing.

Where you may have previously selected a cloud service based on price, future needs will include selection on security posture as well. Understanding what you control in that equation will a big part of that choice. Whether you are in the U.S. Government or not, understanding FedRAMP controls is a good start to understanding risks. But only your own full risk assessment can select the right service for your needs.

Industry Perspectives is a content channel at Data Center Knowledge highlighting thought leadership in the data center arena. See our guidelines and submission process for information on participating. View previously published Industry Perspectives in our Knowledge Library.


Add Your Comments

  • (will not be published)