The Cloud Cube Model looks at the several "cloud formations". They amount to the cloud service and deployment models. According to the NIST guidelines there are 3 service models which include Software as a Service, Platform as a Service, and Infrastructure as a Server; and there are 4 deployment models which include Public, Private, Community, and Hybrid. Each of these models provides different variations of agility, flexibility, risk, and responsibility.
Most cloud providers understand the importance of security to cloud consumers, but it is the accountability of the cloud customer to ensure the cloud formation selected meets their regulatory and data location requirements. The further up the cloud service model you select, the more you rely on the cloud provider to supply security and an easy method of data portability. If your cloud vendor stopped providing service how easy can you move to another vendor? Or use a cloud-based utility to provide business continuity? Service levels, privacy, and compliance are all negotiated legally into the contract when working with SaaS.
Protecting your data
First, it is necessary to classify your data so as to know what rules must apply to protecting it:
- Its sensitivity - must it only exist at specific trust levels? If so, which?
- What regulatory/compliance restrictions apply – e.g. Must it stay within your national boundary? Does it have to stay in Safe Harbors? etc.
With an understanding on what security you need to apply to your data, you’re in a position to decide:
- What data and processes to move to the Clouds.
- At what level you want to operate in the Clouds? Cloud models separate layers of business service from each other, for example, Infrastructure / Platform / Software / Process.
- Which Cloud Formations are best suited to your needs
Cloud Cube Model
The Cloud Cube Model has four dimensions to differentiate cloud formations:
The External/Internal dimension defines the physical location of the data. Does the data exist outside or inside your organization's boundaries? For example, information inside a datacenter using a private cloud deployment would be considered internal, and data that resided on Amazon EC2 would be considered external.
The Proprietary/Open dimension defines the state of ownership of the cloud technology, services, and interfaces. It indicates the degree of interoperability, as well as enabling "data/application transportability" between your own systems and other cloud forms. The ability to move your data without constraint.
- Proprietary means that the organization providing the service is keeping the means of provision under their ownership.
- Clouds that are Open are using technology that is not proprietary, meaning that there are likely to be more suppliers, and you are not as constrained in being able to share your data and collaborate with selected parties using the same open technology.
- Perimeterised implies continuing to operate within the traditional IT perimeter, often signaled by “network firewalls”. When operating in the perimeterised areas, you may simply extend your own organization’s perimeter into the external cloud computing domain using a VPN and operating the virtual server in your own IP domain, making use of your own directory services to control access.
- De-perimeterised assumes that the system perimeter is architected following the principles outlined in the Jericho Forum’s Commandments and Collaboration Oriented Architectures Framework. In a de-perimeterised frame the data would be encapsulated with meta-data and mechanisms that would protect the data from inappropriate usage.
The de-perimeterised areas in the Cloud Cube Model use both internal and external domains, but the collaboration or sharing of data should not be seen as internal or external, rather it is controlled by and limited to the parties that the using organizations select. For example, in the future frame, one organization will not feel uncomfortable about allowing data into the internal COA-compliant domain of a collaborating organization; rather, they will be confident that the data will be appropriately protected.
Encryption and key management will be the technology means for providing data confidentiality and integrity in a de-perimeterised model. Strong encryption also provides legal safe-harbors when the information is lost or stolen.
The fourth dimension is the Insourced/Outsourced dimension. Who is running your cloud? If it is outsourced the service is provided by a third party, and if it is insourced the service is provided by your own staff. This describes the delivery management of the cloud services you consume.
The Jericho Forum states there are three key questions that customers need to ask cloud suppliers to ensure they are confident about their security and compliance with applicable regulations:
- Where in the cube model is your cloud supplier operating when providing their service?
- How will my cloud supplier assure that when using their services I am operating in a cloud form that has and will maintain the features I expect?
- How can I ensure that my data and the cloud services will continue to be available in the event of the provider's bankruptcy or change in business direction?
- To understand how and why using any cloud form will return value-add they want to achieve
- To set out their cloud computing requirements clearly, and know what to expect as a result, so they can achieve the great benefits that cloud computing can offer.
- Moving data, both sensitive and confidential, into the cloud also has legal compliance issues. These too should be fully understood by all parties before the decision to move to a cloud service is made. It may be that while the cost associated with the cloud service is significantly lower, the business risk is too high.