The cloud provider needs to provide basic security, such as the physical security of the server and network segregation and security. “So there is a certain amount of responsibility on the part of the provider…to be able to provide cloud services”, Rusu said.
“You also have to provide network center operations to help guard customers against attacks like denial of service or DNS hijacking. The more services that a cloud provider can provide, the better”, he told Infosecurity.
Customers also need to be conscious of security issues related to making content available to the outside world. “The customers have ultimate responsibility for what they want to share, to what extent they want to go to protect the data”, Rusu observed. The data can be stored anywhere from a public website to a back-office system that has to be secure.
“The burden of security lies with both the cloud provider and the customer. No matter how secure the cloud provider makes the infrastructure…if the customer decides to do risky things, all the security we can provide doesn’t help”, Rusu commented. “What we see in practice is that security is a partnership” between the cloud provider and the customer, he added.
“In a nutshell there is a great deal of security awareness that needs to be provided to cloud users”, Rusu said.
In a related development, the Cloud Security Alliance (CSA) is seeking industry input in updating its top threats to cloud computing report, which it first published in March 2010.
In the original report, the CSA identified seven threats to cloud computing: abuse and nefarious use of cloud computing, insecure interfaces and application programming interfaces, malicious insiders, shared technology, data loss or leakage, account or service hijacking, and unknown risk profile.
The alliance said that results of the industry survey on top threats to cloud computing will be published at the CSA EMEA Congress being held in Amsterdam in late September.