Trust, security and privacy are three terms that surface quickly when people are discussing cloud computing. A survey, reported on by McAfee and done by IDC showed more than 85 percent of Software-as-a-Service users were uncomfortable adopting cloud services because of security concerns. For those in construction, architecture and engineering the stakes are high.
From the cloud computing trust perspective AEC firms are concerned about uptime, file availability and bandwidth, not to mention the need for some reassurance that the company housing the data and providing the links is in business for the long haul.
But it’s the security and privacy implications of cloud computing that make those in construction businesses shiver the most. Security of files and documents that hold sensitive company and customer information is of top concern. Especially with companies in the AEC industries, the types of files where the information may be stored are expansive. Email, memos, images and contract documents might seem innocuous on the surface, but when you scrutinize them closely there are many opportunities for information compromise.
Where privacy is concerned there are compliance regulations that have to be followed, and for companies doing business across national borders the complexity of managing the privacy needs of the information gets increasingly difficult. Governments, standards organizations and computer software and hardware associations are grappling with the issues of trust, security and privacy for the cloud.
Data Security Policy
One key player is the Cloud Security Alliance that includes individuals, corporations and industry groups organized into chapters.
The U.S. Federal government has stepped up to the plate and thrown its weight behind the cloud computing concept. The recently appointed federal CIO, Vivek Kundra, is bullish on getting the government out of data center operations and on to the cloud provided by outsiders. Classified data will be handled on a platform designed by NASA called Nebula.
The National Institute of Standards and Technology (NIST) released a draft of its “Guide to Security for Full Virtualization Technologies,” July 21, 2010. In brief the recommendations outlined in the press release were:
- Secure all elements of a full virtualization solution and maintain their security;
- Restrict and protect administrator access to the virtualization solution;
- Ensure that the hypervisor, the central program that runs the virtual environment, is properly secured; and
- Carefully plan the security for a full virtualization solution before installing, configuring and deploying it.
Brian Anderson, chief marketing officer for BeyondTrust, a solutions provider for privilege authorization management, access control and security solutions for virtualization and cloud computing environments suggests attending to security in this order:
- Be sure data is encrypted
- Provide transmission security
- Maintain physical security of devices holding data
- Use secure authentication to ensure the identities of those with access
- Give the least amount of authorization to administrators as possible
You can also download the Cloud Security Alliance’s “Cloud Security Guide,” for very in-depth cloud security guidance and advice on the right questions to ask of cloud providers and managed security services.