As mentioned in the previous posts, the Cloud Security Alliance (CSA) was formed with the aim of promoting the use of best practices for providing security assurance within cloud computing. In this post, we learn from Robert Temple, director and chief architect of security platform for BT Innovative & Design, about security concerns as they relate to three different types of cloud services.
Are there any significant differences when approaching security between the three cloud service models, SaaS (software as a service), PaaS (platform as a service) and IaaS (infrastructure as a service)?
Different kinds of cloud computing services expose different entry points into the cloud provider and offer to the customer different types of service management operations. In turn, these create different attack surfaces, severity and effects of exploits, as well as different probabilities of a security breach.
From resilience and availability, mutli-tenancy and data co-mingling, cloud provider lock-in, control of data location, protection of data at rest in the cloud, and compliance to regulations and law about privacy, data protection, cross-border data movement, auditing, etc., there are too many to list in this post, but here’s a quick snapshot about what customers should make themselves aware:
SaaS customers should understand if their applications have been secured to establish best practice guidance such as the Open Web Application Security Project (OWASP) and ensure that application level security controls have been implemented (for example, application-aware firewalling and intrusion prevention systems).
IaaS customers should understand how resource sharing occurs within your cloud provider – if you require significant scaling-up of provision at the same time as other users of the same cloud, it may risk breaching the capacity of the cloud provider, and therefore affect availability. Also, you should be aware if your cloud provider’s technology architecture uses new and unproven methods for failover and verify what they use for disaster recovery, and you should understand how your cloud provider deletes ‘old’ data, particularly on the cessation of a contract.
For the PaaS in particular, a cloud provider’s patch management policies and procedures have significant security impact, so the customer should ensure the patching policy is documented.
For a more elaborate analysis on risks and best practices for these see also the Cloud Computing Risk Assessment report by ENISA and the security guidelines of CSA: http://www.enisa.europa.eu/act/rm/files/deliverables/cloud-computing-risk-assessment http://www.cloudsecurityalliance.org/csaguide.pdf.
