National Institute of standard and technology has defined Cloud computing as ”a model for enabling ubiquitous,convenient,on-demand network access to a shared pool of configurable computing resources(e.g. networks,servers,storage,applications and services.) that can be rapidly provisioned and released with minimal management effort or service provider interaction”. The service model consists of Infrastructure as a service (Iaas),Platform as a service (Paas), and Software as a service (Saas). Those services are deployed over four deployment models ; Public Cloud, Private Cloud,Hybrid Cloud and community Cloud. The originality of cloud computing is virtualization. The hypervisor is the software that renders a physical servers to a virtual server, thus allowing the creation of virtual machines. VmWare ESX/ESXi, Kernel virtual machine (KVM),Microsoft hyperV and Citrix XenServer are products used to create virtual computing environment. These innovative technologies have softwares and applications with vulnerabilities attracting hackers, malware (Worm, virus,Trojan Horse,Adware). Security professionals have introduced different approaches to securing the Cloud Computing.
Confidentiality, integrity and availability are in the hearth of any information security program. There are many security standards that have evolved over the past year to help cloud computing providers and customers to reduce the attack surface in their virtual environment. Among those International Standard Organisation 27001 audit standard for Information security management program, National institute of standard and Technology special publication 800-53 Information security, Payment card data security standards (PCI DSS) encryption of credit card records, Health Insurance Portability And Accounting Act (HIPAA) protect health care records.
”Operational security (OPSEC) is a process that identifies critical information to determine if friendly actions can be observed by adversary intelligence systems, determines if information obtained by adversaries could be interpreted to be useful to them, and then executes selected measures that eliminate or reduce adversary exploitation of critical information”.[1] Using this approach in the Virtual environment consist of : data at rest and in motion must be encrypted in the cloud (asymmetric or symmetric encryption), hypervisors and virtual machines vulnerabilities have to be managed and avoided,web applications are tested based on the Open web application security project (OWASP) testing guide, each virtual machines and each vitual network are isolated from the others, Host Based Intrusion Detection System(HIDS) installed in virtual instances, virtual network based Intrusion Detection System(IDS) and virtual firewall installed to monitor and allow only authorized traffic in the cloud, and all the logs have to be kept for a successful Incident response.
[1] http://en.wikipedia.org/wiki/Operations_security
Guy Ngongang 