云计算世界(cloud computing environment)的合适的安全保障( proper security measures ) 附录1: Data Security in the World of Cloud Computing July/August 2009 (vol. 7 no. 4) pp. 61-64 Lori M. Kaufman , BAE Systems DOI Bookmark: http://doi.ieeecomputersociety.org/10.1109/MSP.2009.87 Today, we have the ability to utilize scalable, distributed computing environments within the confines of the Internet, a practice known as cloud computing. In this new world of computing, users are universally required to accept the underlying premise of trust. Within the cloud computing world, the virtual environment lets users access computing power that exceeds that contained within their own physical worlds. Typically, users will know neither the exact location of their data nor the other sources of the data collectively stored with theirs. The data you can find in a cloud ranges from public source, which has minimal security concerns, to private data containing highly sensitive information (such as social security numbers, medical records, or shipping manifests for hazardous material). Does using a cloud environment alleviate the business entities of their responsibility to ensure that proper security measures are in place for both their data and applications, or do they share joint responsibility with service providers? The answers to this and other questions lie within the realm of yet-to-be-written law . As with most technological advances, regulators are typically in a "catch-up" mode to identify policy, governance, and law. Cloud computing presents an extension of problems heretofore experienced with the Internet . To ensure that such decisions are informed and appropriate for the cloud computing environment, the industry itself should establish coherent and effective policy and governance to identify and implement proper security methods. 1. L. Wang et al., "Scientific Cloud Computing: Early Definition and Experience," Proc. 10th Int'l Conf. High-Performance Computing and Communications (HPCC 08), IEEE CS Press, 2008, pp. 825–830. 2. J. Urquhart, "The Biggest Cloud-Computing Issue of 2009 is Trust," C-Net News, 7 Jan. 2009; http://news.cnet.com8301-19413_3-10133487-240.html . 3. J.B. Horrigan, "Cloud Computing Gains in Currency,"12 Sept. 2008, http://pewresearch.org/pubs/948cloud-computing-gains-in-currency . 4. S. Singh, "Different Cloud Computing Standards a Huge Challenge," The Economic Times, 4 June 2009; http://economictimes.indiatimes.com/Infotech/ Different-cloud-computing-standards/ articleshow4614446.cms . 5. "US Federal Cloud Computing Market Forecast 2010–2015," tabular analysis, publication: 05/2009. Index Terms: cloud computing, security, governance, it all depends Citation: Lori M. Kaufman, "Data Security in the World of Cloud Computing," IEEE Security and Privacy , vol. 7, no. 4, pp. 61-64, July/Aug. 2009, doi:10.1109/MSP.2009.87 http://www.computer.org/portal/web/csdl/doi/10.1109/MSP.2009.87 附录2 : SURVEY BY IEEE AND CLOUD SECURITY ALLIANCE DETAILS IMPORTANCE AND URGENCY OF CLOUD COMPUTING SECURITY STANDARDS Enterprises Eager to Adopt Cloud Computing, but Regulatory Requirements Demand Security Standards Compliance Contact: Karen McCabe, IEEE-SA Marketing Director +1 732-562-3824, k.mccabe@ieee.org Robert Nachbar, ZAG Communications for the Cloud Security Alliance +1 206-427-0389, robert@zagcommunications.com RSA CONFERENCE, SAN FRANCISCO, CALIF., USA, 1 March 2010 - IEEE, the world's leading professional association for the advancement of technology, and the Cloud Security Alliance (CSA), a not-for-profit organization formed to promote the use of best practices for providing security assurance within cloud computing, today announced results of a survey of IT professionals that reveals overwhelming agreement on the importance and urgency of cloud computing security standards. "It's clear from the survey's findings that enterprises across sectors are eager to adopt cloud computing - but that security standards are needed both to accelerate cloud adoption on a wide scale and to respond to regulatory drivers , - said Jim Reavis, founder and executive director of the Cloud Security Alliance. - Cloud computing is shaping the future of IT , but, as this study shows in a variety of ways, the absence of a compliance environment is having dramatic impact on cloud computing's growth." Hundreds of IT professionals, many of whom are actively involved in implementing cloud-related projects, participated in the joint IEEE/CSA survey. Among the survey's findings: Ninety-three percent of respondents said the need for cloud computing security standards is important ; 82 percent said the need is urgent. Forty-four percent of respondents said they are already involved in development of cloud computing standards, and 81 percent said they are somewhat or very likely to participate in development of cloud security standards in the next 12 months. Data privacy, security and encryption comprise the most urgent area of need for standards development. The ISO 27001/27002 Information Security Management Standard is a key regulatory driver of standards compliance, as are Data Breach Notification, PCI/DSS (Payment Card Industry Standard), EU Data Privacy Legislation, SOX (Sarbanes-Oxley Act) and HIPAA (Health Insurance Portability and Accountability Act). The use of public, private and hybrid clouds will rise over the next 12 months. The survey found that, while public clouds are most popular, private and hybrid implementations are quickly gaining in adoption. The rate of using and providing software, platform and infrastructure as a service (SaaS, PaaS and IaaS) will increase consistently in the next 12 months. The survey showed that PaaS and IaaS are set for the sharpest growth. "The Cloud Security Alliance, as the world's leading organization focused on cloud security, and IEEE, as a global leader in standards development across an unmatched range of industries, are the obvious partners to establish the baseline on the current and intended usage of cloud computing services, as well as the needs, attitudes and behaviors around cloud security standards," said Judy Gorman, Managing Director, IEEE-SA. "The insights revealed in this survey will prove valuable in informing how the cloud community moves forward." In addition to the announcement today at the Cloud Security Alliance Summit at the RSA Conference in San Francisco, the Computer Security Alliance and IEEE will also present the survey's findings March 16 at SecureCloud 2010 in Barcelona. About the Cloud Security Alliance The Cloud Security Alliance is a not-for-profit organization with a mission to promote the use of best practices for providing security assurance within Cloud Computing, and to provide education on the uses of Cloud Computing to help secure all other forms of computing. The Cloud Security Alliance is led by industry practitioners and supported by more than 25 corporate members . For further information, see the Cloud Security Alliance website . About the IEEE Standards Association The IEEE Standards Association, a globally recognized standards-setting body within the IEEE, develops consensus standards through an open process that engages industry and brings together a broad stakeholder community. IEEE standards set specifications and best practices based on current scientific and technological knowledge. The IEEE-SA has a portfolio of over 900 active standards and more than 600 standards under development. For more information see the IEEE-SA website . About IEEE IEEE is the world's largest technical professional association. Through its more than 375,000 members in 160 countries, IEEE is a leading authority on a wide variety of areas ranging from aerospace systems, computers and telecommunications to biomedical engineering, electric power and consumer electronics. Dedicated to the advancement of technology, IEEE publishes 30 percent of the world's literature in the electrical and electronics engineering and computer science fields, and has developed over 900 active industry standards. The organization annually sponsors more than 850 conferences worldwide. For more information see the IEEE website . http://standards.ieee.org/news/2010/cloudcomp.html
说到这里,我们需要看一下目前“云计算”的几种使用方式了。先列个清单吧,以英文名为准,中文的翻译除了“软件即服务”之外,都是根据统一模式“硬”译的: · 软件即服务( Software as a Service, SaaS ) · 平台即服务( Platform as a Service, PaaS ) · 基础设施即服务( Infrastructure as a Service, IaaS ) · 存储即服务( Storage as a Service, DaaS ) · 通讯即服务( Communication as a Service, CaaS ) · 设备即服务( Hardware as a Service, HaaS ) 软件即服务( Software as a Service, SaaS )大概是最早从云端出现的服务概念。在美国提起 SaaS ,业界里的人首先想到的可能是 Salesforce.com 与其 CEO 贝尼奥夫。事实上,谷歌的 Gmail 以及 Google Doc 等服务都是 SaaS 。 微软推出的, Microsoft Live 也是。 SaaS 其实就是“云计算”的最高层面,应用程序层面,给用户提供的一种应用程序服务。象 Hotmail.com 这样的基于网络的大型商业电子邮件系统应该可以看作是早期的 SaaS ,只不过我们基于传统习惯没有意识到而已。 贝尼奥夫创立 Salesforce.com 的起因要追溯到他在甲骨文公司给总裁埃里森做副手时所受到的启发。据他自己讲,是在一次去北京的飞机上,埃里森跟他谈到:甲骨文数据库应该通过网络让用户使用,这样可以随时维护不用担心不同版本的问题。又有一次,他在负责关于销售人员自动化(也就是 CRM 的前身)的软件开发过程中发现,这种软件需求量很大但费用很高,最便宜的单人使用版本费用也要 1500 美元。与此同时,作为使用者的销售人员们则时常抱怨软件缺少这样或那样的功能,结果,维护、修改、升级费用常常是使用费用的十倍甚至更高。可是公司为了销售不得不忍痛付出。为此他不断思考研究,终于发现如果以甲骨文数据库为基础,搞一个低廉使用价格(每人 50 美元)的网上 CRM 系统应该是一个有前途的主意。因为,这首先可以让销售人员随时上网使用该系统,不必担心没有装软件,其次,如果出现了有好的和新的功能,可以被很快编入系统,立即使用,而一旦被编入系统,其他销售人员也可以使用。这样系统的价值会不断增加, 于是 Salesforce.com 就诞生了。