Use of cloud services is expected in today’s enterprise. Whether for storage, hosted applications, data backups, or numerous other reasons, you would be hard-pressed to find an organization that doesn’t have (minimally) dozens of cloud services operational at any given moment. When “cloud” hit the mainstream about ten years ago, security professionals were skeptical, pushing back as hard as they could, for fear of security unknowns, chiefly, the inability to control an outsourced/offsite/third-party environment. But just like laptops, smartphones, and other technology innovation before it, cloud forged its way into the enterprise despite security teams’ concerns.
Arriving at today, it has become fairly well accepted that most cloud providers—the biggest names in the market, especially—are security-conscious. With all that’s at stake, providers understand that their reputation—and possibly more importantly to them, their revenue potential—rides on their ability to maintain the confidentiality, integrity, availability of the data and services that reside in and flow through their systems. However, all cloud is not created equal; not all cloud platforms provide or even promise, the same level of security, and this is where cloud consumers get tripped up. When it comes to public and hybrid cloud, enterprises must understand the differences between models to be able to develop a cloud security strategy. Cloud security, no matter how you look at it, requires shared responsibility. Levels of responsibility change as you, the consumer, utilize different platforms/services, but the consumer always (minimally) maintains an obligation to the data, no matter whose hardware is housing it.
The three most common public cloud models are Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS).
SaaS
In terms of user commitment, SaaS is the least burdensome security wise. In a SaaS model, the provider supplies the entire infrastructure including the applications that run inside the cloud—those with which the user interacts. Prototypical SaaS providers include Salesforce.com, GoToMeeting, and GitHub. Because the provider leases out the use of the application(s), essentially, the provider is therefore responsible for securing the entire environment. From architecting a secure workspace inside which data and apps reside and communicate (including securing the physical infrastructure and network) to regularly testing the environment for weaknesses and compromises, the provider maintains a high level of security responsibility to its users.
Users, for their part, are liable for the data input to the provider’s environment, and for data access management—assignment of credentials and managing access permissions. That said, just because the user/consumer is responsible for the data and credential/admin assignment, the provider shares responsibility since once that data is inside the provider’s cloud, the provider must take appropriate measures to ensure unauthorized credentials aren’t created, that adversaries can’t breach stored credentials or data, that the API between the user and the provider is secure, that encryption around the data isn’t broken, that zones are properly segmented and disparate users can’t access others’ data, etc.
In a SaaS model, the customer must think first and foremost about the data and access lifecycle but also work to understand how the provider is supplying security along with the environment. Because the consumer is so dependent on the provider for the security of their data, any usage should start with a thorough security evaluation before contracts are signed between parties, and continue with regular assessments following the contracting process. Though the user may not be directly responsible for locking down and tightening up the actual environment, the user is always responsible for oversight because, at the end of the day, it’s the data itself which is of utmost importance.
PaaS
In a PaaS model, the cloud provider is responsible for the entire infrastructure—compute, storage, and networking resources, secure configurations, host and hypervisor—just as with SaaS, but this time the user supplies the applications and data. Any workloads or operating systems inside the environment must be secured by the user rather than the provider. As a result, while shared responsibility remains, the allocation is more 50/50 than in a SaaS model. Not only does the user need to ensure that any data going into the cloud is secured and encrypted and that user permissions are set up correctly, but they need to consider how to secure data in transit and testing of both data integrity and confidentiality and the OS.
In a PaaS model, application security becomes critical, especially when apps are developed and deployed within the cloud. Users can consider implementing data leak protection (DLP), microsegmentation, and (of course) ongoing testing for vulnerabilities and/or hijacked communications.
Access management continues to be a significant responsibility in PaaS; though the cloud provider is responsible for the API, data and privileged user management is a shared responsibility between user and provider. As credential management—especially for privileged accounts—are an attacker’s keys to the kingdom, users must be vigilant about who has access to what.
As with SaaS, pre-procurement evaluation and an attentive contracting process are crucial. However, in PaaS, the user has hands-on responsibility for secure policies and controls throughout the entire contractual agreement.
IaaS
The user/consumer responsibility is highest in an IaaS model, as everything from the administration of the network to the management of applications and data falls to the user. As with PaaS, the infrastructure itself is secured by the provider, but essentially everything else—workloads, data, apps, networking, communications, zoning/segmentation, resource allocation, creation and enforcement of policies, testing, etc. — is supplied by the user.
In IaaS, the consumer is effectively renting the space. It would be like renting an empty warehouse for a big party: the lessor is responsible for ensuring that the physical space is available, not in danger of falling down and that there are no wild animals or masked murders hiding in corners. Everything else—guests, tables, and chairs, food and beverage, lighting, sound/music, etc.—is the responsibility of the lessee.
This doesn’t mean, though, that the provider is liability-free. Indeed, the provider maintains responsibility for the infrastructure, but what’s placed inside (and how it’s managed) is up to the consumer. This means that while it’s important for potential users to evaluate the “premises” prior to usage, the obligation for secure design, implementation, networking, data collection, encryption, monitoring, responding to alerts, access controls, secure data disposal, etc. lies in the hands of the user.
How much?
Regardless of which model you choose, outsourcing any portion of data management does not abdicate responsibility for that data. The more “hands off” the provider, as with IaaS and PaaS, the greater your burden (and ultimately, liability). Working with a cloud provider, though, can supply some assurance that at least portion of your security responsibility is in the hands of experts (if you choose the right ones). Cloud providers often offer economies of scale that individual organizations can’t maintain, and because they’ve worked with many types of companies, they may be able to propose guidance on security best practices even if they won’t directly manage certain functions.
Attend the MISTI & the Cloud Security Alliance Congress, December 11-12, 2018 in Orlando, FL to learn how to better secure your cloud instances and implementations.