Security in the cloud has been a hot topic for a long time now, yet many individuals and organizations fail to realize the implications of security, while others have not performed enough due diligence to seize the necessary solution. Cloud computing requires controls for addressing threats that jeopardize confidentiality, integrity and availability. The purpose of this article is to delineate existing cloud security implications and determine which cloud archetype is best suited for a particular business case.
Security implications change based on cloud use case and the chosen cloud archetype. The most common cloud computing use cases relate to infrastructure, since organizations leverage from the Infrastructure-as-a-Service (IaaS) to migrate data centers to a virtualized environment. However, two more archetypes promise even more value when it comes to applications. These fall into Platform-as-a-Service (PaaS) and can be leveraged from cloud provider web services and even fully functional applications through Software-as-a-Service (SaaS).
To better understand the security implications, let’s focus on the infrastructure and applications use cases.
When organizations think of infrastructure, migrating (IaaS) their data centers to the cloud usually comes to mind, by creating virtualized environments that provide the same functionality but include other benefits, from cost reduction to resiliency. This specific use case, even when implemented as a private cloud, has threats that usually go ignored with no control put in place, leaving environments vulnerable to attacks. The security implications include:
Organizations build or consume from cloud-based applications. These scenarios present specific security implications, whether you’re using SaaS or PaaS. On one hand, from a SaaS perspective, organizations benefit from fully functional applications that reduce software development costs, and provide “pay only what you use” engagement models. While these are very attractive to customers, security implications fall under the following:
On the other hand, PaaS provides a set of web services that give full capability to developers to integrate those services as an intrinsic part of their applications and fully benefit from specialized services, such as:
Therefore, the most important security implication with PaaS is defining the right web services implementation based on the cloud computer pattern that best suits the application needs. Some patterns include:
On and Off: workloads that do not require resources 100 percent of the time
Growing Fast: services that become successful need to scale and keep up with growth
Unpredictable Bursting: unexpected and/or unplanned peak in demand that may impact performance
Predictable Bursting: services with seasonality trends that scale up due to periodic increased demand
The cloud is a very flexible solution that allows you to solve those challenges by enabling you to scale up/down, reducing your infrastructure investment and converting your capital expenditures into operational expenditures. Each service demands a set of security responsibilities that someone must assume to ensure there are no gaps or ambiguities. These responsibilities are managed by the vendor or the user based on the cloud archetype, as follows:
Whatever CSPs promise, organizations need to realize that protecting the information in the cloud will always be the organization’s responsibility. For that reason, organizations must complete enough due diligence to fully understand the cloud archetype that makes the most sense facing their particular challenge.
Recently, the National Institute of Standards and Technology (NIST) and the Cloud Security Alliance (CSA) released two very important documents for the cloud: “Cloud Computing Security Reference Architecture (SP 500-299)” by NIST, and “The Notorious Nine Cloud Computing Top Threats in 2013” by CSA. These two sources host a wealth of information for those concerned about cloud security.
The intrinsic concern for data protection in today’s cloud-enabled environment is not disappearing, despite the evolution of cloud computing. A number of commonly known advantages continue to entice organizations to move to cloud. The companies that will truly be able to realize these perks and reap the benefits are those that take the time to assess their unique obstacles, ask the right questions and self-inform.
Leonel Navarro is Practice Manager & Business leader for Softtek Information Security Practice, he is a certified project management professional (PMP) and a certified information systems security professional (CISSP). Navarro’s twelve years of experience in IT operations with teams based in Mexico, the United States, and China, combined with critical customer-facing positions he has held, enable him to perform the overall coordination of the Sales, Marketing, Product Management and Strategic Alliances strategy for Softtek’s Information Security Service offering while overseeing the delivery of those services with existing clients. Leo holds a Bachelor in Electrical Engineering & Computer Architecture from ITESM.