Securing cloud-based services

Cloud computing refers to the online delivery (ie over the internet) of IT services such as data storage or application processing. Cloud service providers usually share the resources behind these services between many customers.

There are three main forms of cloud computing service:

  • Software-as-a-service (SaaS) is where software (such as you would normally install on office computers) is instead accessed online. It is also commonly known as ‘hosted software’ or ‘hosted applications’.
  • Infrastructure-as-a-service (IaaS) is where you rent infrastructure (such as server or storage capacity) in a remote data centre and use it over the internet. Website hosting is a common example of IaaS.
  • Platform-as-a-service (PaaS) is where you use a remote platform to develop and deploy new software applications.

All three introduce new cyber security risks because of the loss of control over providing the service, for example, the physical location of the service may vary. Therefore, it is important to obtain guarantees from the service provider that legal and other requirements will be met, but proving those requirements are being met may be very difficult.

A specific problem with cloud computing is the protection of personal information. If you are a data controller, you are responsible for that personal data, even when it is stored ‘in the cloud’. The Information Commissioner’s Office has published a guide to cloud computing to “ensure that processing of personal data done in the cloud complies with the Data Protection Act”.