Cloud computing and security.

Abstract

There is always a strong pressure on Information Technology (IT) to do more with fewer resources. Over the decades, this pressure to rationalize IT costs spurred a number of paradigms, technologies and buzzwords. Some of them failed to meet their promises, while others became successfully embed in IT practices and infrastructures, providing sizeable benefits. The paradigm of cloud computing is currently riding this wave, promising to be the next great revolution in IT. Cloud computing appears to have the right technological and market ingredients to become widely successful. However, there are some key areas where cloud computing is still underperforming – such as security. Availability, security, privacy and integrity of information are some of the biggest concerns in the process of designing, implementing and running IT services based on cloud computing, due to technological and legal matters. There is already an extensive set of recommendations for IT management and IT governance in general – such as the popular Information Technology Infrastructure Library (ITIL) guidelines and Control Objectives for Information and related Technology (COBIT) recommendations. However, the field of cloud computing remains poorly covered. ITIL and other general sources can be sometimes translated to the context of cloud computing, but there are many new challenges not addressed by those generic resources. Recognizing this state of affairs, a number of initiatives already started focusing on novel proposals specifically targeting cloud computing but, up to now, with no significant outcomes. In this paper, we discuss the security implications involved in the migration of IT services to the cloud-computing model, proposing a set of rules and guidelines to be followed in the process of migrating IT services to the cloud. This set of rules and guidelines largely builds on general ITIL recommendations, discussing how to extend/adapt them to the field of cloud computing and identifying which a number of novel areas not covered by current ITIL recommendations.