Cloud computing is highly appealing to today’s organizations, not only because of its projected cost savings but also because of key characteristics such as the cloud’s elasticity, scalability, and flexibility. However, cloud computing also brings new challenges. The concentration of an organization’s computing resources and data in the cloud can create a more attractive target for potential attackers. Although cloud-tailored security defenses can be robust, scalable, and cost effective if properly implemented, security remains a top concern for organizations considering cloud-based services.
Your choice of a cloud service delivery and deployment model directly affects the security of your organization. In addition, planning for cloud-based IT services creates several security challenges that you must overcome if you hope to take advantage of the cloud’s benefits while minimizing the risks.
Delivery Model Security
A common architectural model used to frame the services a Cloud Service Provider (CSP) can deliver to organizations (i.e., the cloud service consumers) is the SPI model. SPI refers to the delivery of software, platform, and infrastructure services in the cloud; these cloud service offerings are referred to as Software-as-a-Service (SaaS), Platform-as-a-Service (PaaS), and Infrastructure-as-a-Service (IaaS).
The SPI model is a stacked model, as Figure 1 shows, in which IaaS sits at the bottom of the stack, SaaS at the top, and PaaS in the middle. The higher you go in the SPI stack, the more responsibility and control the CSP has and the less responsibility, control, and flexibility the service consumer has. This rule also applies to security.
SaaS. With SaaS, organizations buy cloud-based applications or software from a CSP. Instead of purchasing software applications off-the-shelf and installing, configuring, and maintaining them, organizations rent applications from a SaaS CSP. The CSP manages and controls the cloud infrastructure underneath the applications (including components such as OSs, servers, storage, and networks), as well as general application setup and configuration. Typically, SaaS consumers handle only user-specific application configuration and identity management tasks. Of all the cloud service delivery models, SaaS provides the most integrated security services, built directly into the cloud offering, with the least consumer extensibility. A good SaaS example is the use of Microsoft Exchange Server email services with Microsoft Office 365.
PaaS. PaaS CSPs offer a cloud-based development environment that lets organizations build and deploy their applications on top of a cloud platform. Like for SaaS, the PaaS CSP controls the cloud infrastructure that underlies the PaaS platform. Because PaaS sits lower in the SPI stack, it’s more extensible than SaaS. The built-in security features are less complete and there’s more flexibility for consumers to include additional security services. A good PaaS example is the Microsoft Azure platform.
IaaS. When using IaaS, organizations rent fundamental computing resources, such as processing power, storage space, and network segments, in the cloud. With IaaS, organizations have control over the OSs and applications they deploy on top of the rented computing resources. Of all the models, IaaS has the greatest extensibility. For security, this means that the IaaS CSP includes only basic infrastructure protection services: The OSs, applications, and content must be secured by the cloud consumer. A good IaaS example is the Amazon Elastic Compute Cloud (EC2) offering.
The SPI model shows that in the cloud, security is typically a shared responsibility that’s split between the cloud consumer and the CSP. Creating clearly defined service level agreements (SLAs) between the cloud consumer and the CSP is therefore critically important. As a cloud consumer, you might also require security audits of the CSP’s environment or some kind of proof that the CSP has implemented sufficient and effective security controls.
The degree to which you need SLAs and security controls in the cloud obviously depends on what part of your business you want to make dependable on the cloud. As for any security investment, it’s important that you first perform a solid requirements analysis and risk assessment.
Deployment Model Security
Regardless of the cloud service delivery model (i.e., SaaS, PaaS, or IaaS), cloud services can be deployed in a public (or external), private (or internal), or hybrid cloud. These three cloud deployment models affect how an organization manages and maintains security controls, as well as what security operations the organization is ultimately responsible and accountable for.
Public. A public cloud provides cloud services to organizations over the Internet. This model is hosted, operated, and managed by a third-party cloud service vendor that provides services from an Internet-facing data center. In a public cloud, security management is delegated to the third-party cloud service vendor. Because cloud consumers have no direct insight into the way the vendor implements, operates, and maintains security, cloud consumers and vendors might need to establish strict SLAs—but this requirement obviously depends on the criticality to your business of the applications and data you put in the public cloud. Similarly, consumers can require regular security audits to guarantee appropriate security controls.
Public clouds typically offer their services to different organizations using a common or shared IT infrastructure. This phenomenon is referred to as multi-tenancy and creates a set of interesting security challenges to guarantee that the different tenants’ (i.e., organizations’) data is isolated while it’s processed, transmitted, or stored on the shared public cloud infrastructure.
Private. A private cloud brings cloud services to private networks: It’s a cloud that serves a single organization. The network, computing, and storage resources underlying a private cloud are dedicated to one organization. For organizations that often deal with confidential or sensitive data, this is an important security argument. A private cloud allows organizations to take advantage of cloud features such as elasticity and flexibility while maintaining sufficient control and security for the organization’s data.
Private clouds don’t take away the possibility of outsourcing: A private cloud can be entirely or partially managed by a third party. In that context, an organization might decide to keep the responsibility of the entire security management and operation of its private cloud with its internal IT department, or to outsource certain security functions to a third-party provider.
A private cloud can be hosted on premises (in a customer-owned data center), off premises (in a third party’s data center), or partially on premises and partially off premises. Although the use of SLAs isn’t common in public clouds, SLAs are common when outsourcing is used for private clouds. SLAs give the private cloud consumer more control and insight into the security operation of its outsourced private cloud and make it easier to comply with standards, policies, and regulations.
Like for public clouds, private clouds can also have multi-tenancy security requirements. In a private cloud, an organization might require strict isolation between the data of its different internal business units.
Hybrid. A hybrid cloud is a mix of a private cloud and one or more public cloud components. It brings together the best of the private and public cloud worlds. Organizations might prefer a hybrid cloud approach to let them run their non-core applications in a public cloud, while putting their core applications and sensitive data in an on-premises private cloud. Because of its flexibility, there’s a fair chance that the hybrid cloud model will become organizations’ favorite cloud deployment model.
Security Priorities for Cloud Adoption
The main security priorities to keep in mind when your organization considers cloud adoption can be split across the following security areas: Governance, Risk, and Compliance (GRC); Identity and Access Management (IAM); infrastructure security; and data protection.
Governance, Risk, and Compliance. Perhaps the most important but also the most challenging security area to deal with in the cloud is GRC. The ultimate goal of GRC is to improve the overall security posture of a cloud solution by using formal methods for risk management, security controls assessment, and compliance monitoring.
A GRC program consists of several stages. It starts with a risk assessment to identify the security risks that the cloud solution will face and to identify the applicable regulations. The next step is to identify the security controls that can address the identified risks and ensure regulatory compliance. The CSP and the consumer must then decide on a monitoring and reporting system to check and report whether the controls effectively meet security requirements. Finally, the monitoring results might lead to improvements and changes to the security controls.
Certainly, GRC in the cloud isn’t a one-time activity but an ongoing process that’s constantly on the watch for new threats and security improvements. It might be difficult in the cloud to align the GRC processes of your organization with those of your CSP and to ensure regulatory compliance of geographically diverse cloud infrastructures.
Identity and Access Management. IAM incorporates services such as identity provisioning, authentication, authorization, and auditing. For IAM, the biggest cloud challenge lies in the changed trust boundaries. In most cases, the trust boundary in a cloud solution moves beyond the control of an organization’s IT department because it extends into the CSP’s infrastructure. This means that the reach of internal IAM systems must be extended to the CSP environment. If this is difficult, it must be counteracted by stronger authentication and authorization controls at the entry and exit points of the cloud solution.
For cloud-based authentication and authorization, you should consider identity federation solutions that build on the Security Assertion Markup Language (SAML) standard. For cloud-based provisioning, you should consider solutions that support the Service Provisioning Markup Language (SPML) standard. Finally, be sure that you get your internal IAM systems right before you consider linking your IAM system to the cloud. Many organizations have complex IAM systems that consist of different directory, access management, and provisioning solutions. Unless you simplify and streamline your internal IAM infrastructure, linking it to the cloud will become an even more complex task.
Infrastructure security. Infrastructure security incorporates security at the host, network, application, and virtualization layers of a cloud solution. If the cloud solution moves beyond the borders of the organization, infrastructure security responsibilities are split between the cloud consumer and the CSP. It’s crucial that cloud consumers understand and agree on the exact infrastructure security services the CSP will provide and which infrastructure security services they still must provide themselves.
On the network layer, you must especially protect the confidentiality and integrity of data while it’s in transit across public networks. You must also be on the lookout for attacks on the cloud solution’s Internet-facing entry points.
On the host layer, you must ensure that proper malware protection and security patching solutions are in place both on the level of client access points (e.g., laptops, desktops, PDAs, terminals) and on the level of the back-end server infrastructure in the cloud data center. Host security also includes the virtualization layer, which creates a set of new security challenges. You must make sure that you and your CSP provide sufficient security services on all virtualization levels, including the parent OSs, the guest OS, and the hypervisor layer.
Although application security is often neglected, studies show that most vulnerabilities are discovered at the application level. An important cloud application security priority is to ensure that your software is developed using a secure software development life cycle (SDLC). In the cloud, your organization or the CSP must also provide application-level security protection (e.g., through web application firewalls), patching, vulnerability scanning, logging and reporting, and integration with your IAM infrastructure. If your organization already has an established application security program, it might need updating to cope with the additional risks created by the cloud service delivery models.
Data protection. Data protection covers both data security (confidentiality, integrity, and availability protection) and data privacy protection. The primary means to provide data confidentiality and integrity in the cloud is encryption. Encrypting data introduces additional challenges related to secure key management and the secure processing of encrypted data in a multi-tenant cloud environment. For data availability, working and regularly tested backup and recovery mechanisms remain crucial security tools.
Data Loss Prevention (DLP) solutions are an emerging set of data-protection solutions for the cloud. Organizations can use DLP solutions to protect business-critical data in the cloud and prevent data leakage, distribution, or unauthorized use.
In the cloud, you might also want to pay special attention to data remnants, which are the residual representations of data after erasing, removing, or deleting the data from a CSP’s storage providers. To make sure that your data leaves no trace, you might want to require the use of advanced data and disk clearing and sanitization solutions.
Finally, data privacy protection in the cloud brings significant challenges if organizations and CSPs must adhere to different privacy regulations. The cloud currently also lacks technical tools to let individuals effectively control where Personally Identifiable Information (PII) is used, stored, and travels. Much remains to be done on the privacy front.
Risks vs. Benefits
Cloud computing can provide highly scalable and flexible IT services over Internet-based protocols. Important security challenges for organizations that consider cloud adoption include changes to the traditional security and trust boundaries and the associated loss of control. Implementing security controls is relatively easy if you have physical access to your applications and systems—but in the cloud, you must leave this responsibility to the CSP.
To cope with these challenges, organizations must extend or link key pieces of their current internal security infrastructures with the cloud and will need to rely on strict SLAs for the level of security the CSP is expected to deliver. Customers that have experience with IT outsourcing can benefit from past experience with dividing pieces of the security ownership cake.
Organizations should also be extremely careful when they migrate and store valuable data in the cloud; it’s absolutely paramount to check the CSP’s security controls to guarantee the appropriate level of data security. Finally, remember that any cloud-related security exercise must start off with a risk assessment and the creation of a proper GRC program that’s tailored to the cloud.