Security is on everyone's mind, but even much more so when we're talking about cloud-based resources that are directly connected to the internet.
Let’s understand what cloud is? Cloud means renting hardware and software from cloud service provider (CSP) to deliver a service over a network (typically the Internet). Cloud computing, users can access files and use applications from any device that can access the Internet. Traditionally to use these services organization has to purchase these hardware and software for their specific use and you make capital investment, whereas when you use cloud you are paying as per usage and your expenses will be in operational form. As with cloud service you “pay –as –use” hence it becomes more economical compare to capital expenses. Cloud service provider will bear the expenses of data center, power and air conditioning and client need not have to bother about it. Client only need internet connectivity and the device to access these services. Major examples of cloud service provider are Microsoft, Amazon , Google etc.
1. Cloud deployment models
There are three categories of cloud services from deployment perspective:
- Private : The cloud infrastructure is provided for exclusive use by a single organization. It is similar to dedicated data center provided in cloud. This can be on premise or off premise.
- Public : The cloud infrastructure is provisioned for open use by the general public. It may be owned, managed, and operated by a business, academic, or government organization, or some combination of them. It exists on the premises of the cloud provider.
- Hybrid : This is combination of Private and Public Cloud
2. Cloud services
From service perspective cloud is categorized in mainly three types
- Infrastructure as a Service (IaaS) : Cloud provider provides the physical infrastructure for your hosting solution. For example, data centers, servers, CPU, memory, and the storage. All of this infrastructure is provided for you and is rented to you as a service
- Platform as a Service (PaaS) : A platform as a service is where there's some limited deployment of underlying platform like Windows or a database solution that's already been implemented as a platform. It is builds on top of the infrastructure where you have the infrastructure plus the platform that are provided to you as a service. So this is IaaS + PaaS
- Software as a Service (SaaS) : Now software as a service is where the infrastructure and the platform are already there, and application software is deployed on top of that platform. For example, an email solution or Office 365.
3. Cloud security
As a part of Infrastructure as a Service (IaaS) which is the actual underlying infrastructure, all of the software, all of the platforms, all of the operating systems and everything that you deploy on top of that infrastructure must be secured the same way that you're currently securing your resources on-premises.
Now if we go a little bit further and look at the Platform as a Service (PaaS) solution, the security requirements are mostly defined in the configuration and the deployment of what's going to sit on top of that platform. So if you have a storage solution or if you have a document management solution that is going reside within the platform that is provided by the cloud provider, all of the security settings that you're going to have to manage are be the security settings for that specific software, for that specific tool that you're deploying into the platform. So it will be very specific to that application and the deployment that you will use for that application is going to have some security requirements around it as well, and you will define all of those as part of your deployment solution
If we go into a Software as a Service solution (SaaS), then our security requirements are generally restricted to the way users behave and the available configurations in the User Interface If you've got, for example, Exchange Online, where you're provided with a set of user settings and a set of configurations, the way that you manage those configurations and the way that you manage those settings define your security for that software.
4. Cloud security responsibility
The image shown in this article presents the cloud security responsibility of customer and cloud service provider.
Cloud service Provider (CSP) and Customer security responsibility depends upon the type of service taken. Customer data is at risk so customer needs to ensure that above security responsibilities are carried out from both side. Security due diligence and cloud risk assessment needs to be done before going for cloud services