Also referred to as cross-cutting aspects, cloud computing shared consideration items are addressed below.
Security
Security of cloud data and applications is a responsibility that is shared between the cloud service provider and the cloud service consumer. An easy way to portray the responsibility boundary is that:
- The CSP has responsibility for “security of the cloud”
- The customer has responsibility for “security in the cloud”
“Of the cloud” security describes the task of protecting the cloud infrastructure. This includes both the physical and logical protection of hardware, software, networking, and facilities that run the cloud services.
“In the cloud” security responsibilities are dictated by the specific cloud service(s) consumed by the customer. Those responsibilities include service configuration and management tasks, management of the guest operating system (including updates and security patches), any application software or utilities installed by the customer on compute instances, and the configuration of the CSP provided firewalls on each instance.
Auditability
Auditability relies on a single key component: evidence. Think of the auditor coming in with their checklist and questions—that is the same mindset that your organization or entity should take to ensure that you always have a comfort with and positive understanding of your ability to audit and measure actions against requirements. Systems and processes will fail, so wherever possible, auditing and auditability should provide enough information, details, and evidence to support reviews and investigations. The ability to point to audit results, findings, and relevant evidence has not only saved jobs and companies from catastrophic impacts, but also has given leaders the facts and reports they need to alter business processes, system functions, and personnel activities and to implement increased safeguards such as defense in depth or additional layers of security and risk management.
The CSP is responsible for auditability of the cloud regions, datacenters, hardware, and so on. The customer is responsible for auditability of anything deployed on their virtual private cloud, including the virtual network and infrastructure.
Availability
Systems and resource availability define the success or failure of a cloud-based service. Availability is a single point of failure for cloud-based services. If the service or cloud deployment loses availability, the customer is unable to access their target assets or resources, resulting in downtime. In many cases, cloud providers are required to provide upwards of 99 percent availability as per the service-level agreement. Failure to do so can result in penalties, reimbursement of fees, loss of customers, loss of confidence, and ultimately brand and reputational damage.
While the CSP is responsible for cloud region, zone, infrastructure, and service availability, the customer is responsible for identifying single points of failure in their deployed workloads and plan for high availability accordingly.
Compliance
Regulatory compliance is an organization’s requirement to adhere to relevant laws, regulations, guidelines, and specifications relevant to its business, specifically dictated by the nature of operations and functions it provides to its customers. Where the organization fails to meet, or violates, regulatory compliance regulations, punishment can include legal actions, fines, and in limited cases, halting business operations or practices. Key areas that are often included in cloud-based environments include (but are not limited to), Payment Card Industry Data Security Standard (PCI DSS), Health Insurance Portability and Accountability Act (HIPAA), the Federal Information Security Management Act (FISMA), and the Sarbanes–Oxley Act (SOX).
Most reputable CSPs are PCI, HIPAA, SOX, FedRAMP etc. compliant. However, it is the customer’s responsibility to ensure compliance within their virtual private cloud environments.
Governance
The term “governance” when relating to processes and decisions, refers to defining actions, assigning responsibilities, and verifying performance. The same can be said and adopted for cloud services and environments where the goal is to secure applications and data when in transit and at rest. In many cases, cloud governance is an extension of existing organizational or traditional business process governance, with a slightly altered risk and controls landscape. While governance is required from the commencement of a cloud strategy or cloud migration roadmap, it is seen as a recurring activity and should be performed on an ongoing basis. A key benefit of many cloud-based services is the ability to access relevant reporting, metrics, and up-to-date statistics related to usage, actions, activities, downtime, outages, updates, etc. This may enhance and streamline the governance and oversight activities with the addition of scheduled and automated reporting available.
Governance of workloads deployed on virtual private clouds are largely the customer’s responsibility. For PaaS and SaaS, cloud governance is a shared responsibility between the CSP and customer.
Interoperability
Interoperability is the requirement for the components of cloud ecosystems to work together to achieve their intended result. In a cloud computing ecosystem, the components may well come from different sources, both cloud and traditional, both public and private cloud implementation (known as hybrid cloud). Interoperability mandates that those components should be replaceable by new or different components from different providers and continue to work, as should the exchange of data between systems. In summary, if your car engine fails, you should be able to replace the engine with the same brand or type of engine, or alternatively look for another engine that will provide the same level of power and function to allow the car to continue to operate. Interoperability uses the same premise: continued availability of services, regardless of providers or cloud components.
While it is expected of the CSP to provide alternatives to proprietary services, it is ultimately the customer’s responsibility to choose technologies that are largely platform and/or cloud agnostic.
Maintenance and Versioning
Maintenance refers to changes to a cloud service or the resources it uses to fix faults or to upgrade or extend capabilities for business reasons. Versioning implies the appropriate labeling of a service so that it is clear to the cloud service customer that a particular version is in use.
For PaaS and SaaS services, maintenance and versioning are mostly the CSP’s responsibility. For IaaS (and some PaaS), maintenance is the customer’s responsibility.
Performance
Cloud computing and high performance should always go hand in hand. For the best experience using cloud services, the provisioning, elasticity, and other associated components should always focus on performance, which in turn should be focused on the network, the compute, the storage, and the data. With these four elements influencing the design, integration, and development activities, performance should be boosted and enhanced throughout.
While the CSP is responsible for cloud’s infrastructure performance, the customer is responsible for designing and architecting their cloud deployments for performance.
Portability
Portability defines the ease with which application components are moved and reused elsewhere regardless of the provider, platform, OS, infrastructure, location, storage, format of data, or APIs. Portability is a key aspect to consider when selecting cloud providers, since it can both help prevent vendor lock-in and deliver business benefits by allowing identical cloud deployments to occur in different cloud provider solutions, either for the purposes of disaster recovery or for the global deployment of a distributed single solution.
Privacy
In the world of cloud computing, privacy presents a major challenge for both customers and providers alike. The reason for this is simple: no uniform or international privacy directives, laws, regulations, or controls exist, leading to a separate, disparate, and segmented mesh of laws and regulations being applicable, depending on the geographic location where the information may reside (data at rest) or be transmitted (data in transit). Given the true global nature and various international locations of cloud-computing data centers, this could mean that your organization’s data could reside in two, three, or more locations around the world at any given time. For many European entities and organizations, this violates European Union (EU) Data Protection laws and obligations, which could lead to various issues and implications. Within Europe, privacy is seen as a human right, and as such should be treated with the utmost respect. Not bypassing the various state laws across the United States and other geographic locations requires an extremely complex and intricate level of knowledge and controls to ensure that no such violations or breaches of privacy and data protection occur.
Regulatory
There are many different regulations that may influence the use and delivery of cloud services. Statutory, regulatory, and legal requirements vary by market sector and jurisdiction, and they can change the responsibilities of both cloud service customers and cloud service providers. Compliance with such requirements is often related to governance and risk management activities.
Resiliency
Cloud resiliency represents the ability of a cloud services data center and its associated components, including servers, storage, etc., to continue operating in the event of a disruption, which may be equipment failure, power outage, or a natural disaster. Given that most cloud providers have a significantly higher number of devices and redundancies in place than a standard “in-house” IT team, cloud resiliency should typically be far higher, with equipment and capabilities ready to failover, multiple layers of redundancy, and enhanced exercises to test such capabilities.
Reversibility
Reversibility is a process for the cloud service customer to retrieve their cloud service customer data and application artefacts, and for the cloud service provider to delete all cloud service customer data and contractually specified cloud service derived data after an agreed period.