Scope of Controls
The end-user uses services in the cloud from cloud providers – utilizing SaaS, PaaS or IaaS depending on their needs, The cloud providers make the services available and control more or less of what the end users access, depending on the services needed. The cloud is opaque below the level of services the end-user consumes – and they do not need to know how the services are provided to them.
Multiple cloud providers can supply a single user when needed – and the end-user neither knows, nor needs to know. All they are aware of is requesting more server time, or hosting space, and receiving it.
Because of this opacity, security is an integral component of cloud services. Security, including confidentiality, the verifiability of stored information and reliability, is essential to cloud computing. Without this, there is a disincentive to utilizing cloud computing. Individuals, businesses and governments all need to be certain that secure information put in the cloud is not going to be hacked or leaked. As well, access to the cloud needs to be reliable and continuous. When the cloud provider is unknown to the end user, they are relinquishing control over the safety of the data and applications within the cloud.
Basic cloud computing security depends on the proven and perceived trustworthiness of the provider – or increasingly, the cloud broker. The provider is almost inevitably going to have access to any information placed on their servers. Cloud auditors are necessary to provide verification and certification of security needs.