Cloud security isn’t hard or new. It’s really just traditional concepts and concerns applied to an ‘unseen’ and multi-tenant environment. For example: IT pros familiar with applying patches to a windows server in a back closet, are now, in the cloud model, applying those same patches via RDP.
To correctly define, there are really five main architectural ‘methods’ for implementing and consuming cloud services and of course, the security concerns for each will vary. These models include familiar terms like SaaS and IaaS, private cloud and hybrid cloud etc. The (mostly) agreed upon NIST definitions can be found in the following ‘PDFaaS’: http://csrc.nist.gov/publications/nistpubs/800-145/SP800-145.pdf
The security practices I’m addressing are in regards to the area I have the most hands on experience with working at Server Cloud Canada.
Here’s the NIST definition for IaaS:
“The capability provided to the consumer is to provision processing, storage, networks, and other fundamental computing resources where the consumer is able to deploy and run arbitrary software, which can include operating systems and applications. The consumer does not manage or control the underlying cloud infrastructure but has control over operating systems, storage, and deployed applications; and possibly limited control of select networking components (e.g., host firewalls).”
So, your security concerns and responsibilities as an IT professional working in IaaS really fall under 3 main ‘layers’:
Layer 1: User access control
- End-user password management (complexity, changes etc.)
Layer 2: The transportation of data to and from the cloud
Layer 3: The protection of your operating systems and virtual machines
- Patch management
- Virus and malware protecting
- Operating system and application harding
To a seasoned IT pro, these concerns are a normal part of everyday life – easily handled by ‘already-in-place’ practices and processes. It’s not a stretch to say most IT pro’s and organizations are already equipped to successfully and securely manage cloud deployments.
Do the security concerns end there?
Absolutely not! Like the OSI model, there are still multiple layers of security that the cloud provider is responsible for. Things like physical protection of data centers, network monitoring, data access control and policy, geo-redundancy, and so on.
Ultimately, some trust will be placed in the providers hands. It’s very important to fully qualify any and all cloud providers you may work with to make sure they’re keeping up with their end of the bargain. In my post Canadian Privacy Laws and the Canadian Cloud: A Primer for Canadian Businesses I address some of the questions you should ask to get a good idea of security systems in place and how to feel out a provider.