Security issues are paramount when considering adoption of any cloud technology. This chapter outlines the Secure Cloud Architecture (SeCA) model on the basis of data classifications, which defines a properly secure cloud architecture by testing the cloud environment on eight attributes. The SeCA model is developed using a literature review and a Delphi study with seventeen experts, consisting of three rounds. The authors integrate the CI3A —an extension on the CIA-triad— to create a basic framework for testing the classification inputted. The data classification is then tested on regional, geo-spatial, delivery, deployment, governance & compliance, network, and premise attributes. After this testing has been executed, a specification for a secure cloud architecture is outputted. The SeCA model is detailed with two example cases on the usage of the model in practice.
TopIntroduction
According to both commercial reports as academic research, security issues are paramount when adoption of cloud solutions are being considered (Foster, Zhao, Raicu, & Lu, 2008; Ghinste, 2010; Mowbray & Pearson, 2009). However, no clear model exists to determine security issues and solutions.
Better yet, there is much debate which security threats and risks are applicable to computer networks, end-users or are actually cloud specific (Chen, Paxson, & Katz, 2010:4). They state that “arguably many of the incidents described as ‘cloud security’ in fact just reflect traditional web application and data-hosting problems [..] such as phishing, downtime, data loss, password weaknesses, and compromised hosts running botnets.”. Moreover, they hold that most cloud security issues aren’t new, but do need new implementations to provide the level of security wanted.
Therefore this chapter will provide an overview of the security issues and describe the Secure Cloud Architecture (SeCA) model to determine the security issues one might expect in a certain cloud environment and what solutions might be used to secure those issues. This framework will be developed by answering the following question:
Can the Cloud be a safe alternative for the storage and execution of organizational confidential data?
This model was developed in three steps. First, a literature review has been conducted. Second a delphi study was conducted to identify the perceived security issues by experts in the field. Third, the model was verified by the same experts in the last round of the delphi study.
By reading the overall themes in security, followed by cloud specific topics, an overview has been created that is used as the starting point in the development of the SeCA model.
A delphi study has been considered to be the best method for research in this chapter, as it provides the researchers with a qualitative data set which would allow to create and verify the model. It also allows the experts to see answers and be able to respond to these answers in upcoming rounds (Dalkey & Helmer, 1963). The first answer in question two is not per se answered by the same expert as answer one in question one, creating double-blind survey results. This way, a consensus can be reached on the various topics discussed in the delphi study. The delphi method was executed consisting of three rounds of surveys with qualitative questions. Three rounds were chosen instead of two, which is more common (Skulmoski, Hartman, & Krahn, 2007), so that a first round could be used to obtain general information on the topic, not specifically regarding to the model to be developed, while still having enough rounds to reach a consensus. The first round consisted of open questions where the experts were questioned on their experience with security and the cloud, issues and concerns regarding security in the cloud. These questions gave a wide result set that strengthened the results of the literature research earlier performed. Seventeen respondents answered all the questions in the survey in all three rounds, a rate of 65%. See Table 1 for an overview.
Table 1. The experts (filtered on those that did all three rounds) in the Delphi study
| # | Position/function | Organization type | Cloud | Non-cloud | Security |
| 1 | Consultant | Enterprise integrator | X | X | |
| 2 | Director | IT consultancy | | X | X |
| 3 | Security consultant/architect | IT security firm | | X | X |
| 4 | Researcher | American University, | X | X | X |
| 5 | Enterprise Architect | Enterprise transportation | | X | |
| 6 | Sr. manager | Large accounting firm | X | X | X |
| 7 | Security advisor | Transportation firm | | X | X |
| 8 | IT Architect | IT consultancy | X | X | |
| 9 | Manager | Security solutions | X | | X |
| 10 | Security manager | Utilities | | X | X |
| 11 | Consultant | IT consultancy | X | X | |
| 12 | Security manager | Government | | X | X |
| 13 | Security manager | Healthcare products | | X | X |
| 14 | Manager | IT consultancy | | X | X |
| 15 | Consultant | Enterprise integrator | | X | X |
| 16 | Security manager | Utilities | | X | X |
| 17 | IT auditor | Accounting | X | X | X |