Do You Have The Skills To Be Secure In The Cloud?

Do You Have The Skills To Be Secure In The Cloud?

CATEGORY:
Server Cloud Canada logo
by

Cloud security isn’t hard or new. It’s really just traditional concepts and concerns applied to an ‘unseen’ and multi-tenant environment. For example: IT pros familiar with applying patches to a windows server in a back closet, are now, in the cloud model, applying those same patches via RDP.

To correctly define, there are really five main architectural ‘methods’ for implementing and consuming cloud services and of course, the security concerns for each will vary. These models include familiar terms like SaaS and IaaS, private cloud and hybrid cloud etc. The (mostly) agreed upon NIST definitions can be found in the following ‘PDFaaS’: http://csrc.nist.gov/publications/nistpubs/800-145/SP800-145.pdf

The security practices I’m addressing are in regards to the area I have the most hands on experience with working at Server Cloud Canada.

Here’s the NIST definition for IaaS:

The capability provided to the consumer is to provision processing, storage, networks, and other fundamental computing resources where the consumer is able to deploy and run arbitrary software, which can include operating systems and applications. The consumer does not manage or control the underlying cloud infrastructure but has control over operating systems, storage, and deployed applications; and possibly limited control of select networking components (e.g., host firewalls).”

So, your security concerns and responsibilities as an IT professional working in IaaS really fall under 3 main ‘layers’:

Layer 1: User access control

  • End-user password management (complexity, changes etc.)
  • Logging

Layer 2: The transportation of data to and from the cloud

  • VPN
  • Firewalls
  •  HTTP(S)

Layer 3: The protection of your operating systems and virtual machines

  • Patch management
  • Reporting/logging/monitoring
  • Virus and malware protecting
  • Operating system and application harding

To a seasoned IT pro, these concerns are a normal part of everyday life – easily handled by ‘already-in-place’ practices and processes. It’s not a stretch to say most IT pro’s and organizations are already equipped to successfully and securely manage cloud deployments.

Do the security concerns end there?

Absolutely not! Like the OSI model, there are still multiple layers of security that the cloud provider is responsible for. Things like physical protection of data centers, network monitoring, data access control and policy, geo-redundancy, and so on.

Ultimately, some trust will be placed in the providers hands. It’s very important to fully qualify any and all cloud providers you may work with to make sure they’re keeping up with their end of the bargain. In my post Canadian Privacy Laws and the Canadian Cloud: A Primer for Canadian Businesses I address some of the questions you should ask to get a good idea of security systems in place and how to feel out a provider.

You might also like
A Layered Approach to Cloud Security
Why Helion could be the game-changer the cloud has been waiting for Why Helion Could Be The Game-Changer The Cloud Has Been Waiting For
3 cloud trends for 2023 3 Cloud Trends for 2023
email is not safe Email is NOT Safe – Think Before You Send
Why Your Business Should Keep Its Data in Canada Why Your Business Should Keep Its Data in Canada
privacy law canada When Your Data Must Stay In Canada
canadian privacy laws pipeda compliant business Canadian Privacy Laws: PIPEDA And Your Business – An Evaluation
cloud adoption strategy Government Organizations Are Leveraging the Cloud to Better Serve the Population
0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *