The cloud isn’t one thing, so securing the Cloud won’t be one thing either.
The industry has settled on a layered framework for understanding, comparing and selecting cloud-based services. Gartner’s model has these high-level layers (with subcategories in each layer):
- Infrastructure as a Service (compute, storage, etc)
- Platform as a Service (middleware-like services such as database, queuing, identity services, etc,)
- Software as a Service (finished applications such as salesforce.com)
- Information/Data as a Service
- Business Process as a Service
- Security and Management as a Service
According to Gartner research, the fastest growing segment of all of these layers is IaaS.
In this research note just published for clients, my colleague, Lydia Leong, and I talk about the security considerations for IaaS services. We provide a framework for looking at the provider’s security capabilities as well as thoughts on strengthening the self-defending capabilities of your workloads.
From the research note:
Ultimately, you are responsible for the security of the workloads and data placed into IaaS. More than with any other layer of cloud-based computing services, organizations have flexibility of security controls with IaaS offerings, as the security and compliance of data and workloads is a combination of the service provider’s capabilities and the security controls placed within the workloads themselves, such as a local firewall and host-based IPS.
If you want the workload you place up in the IaaS provider’s infrastructure (e.g. Amazon’s EC2) to be protected, you’ll need to think about what local host-based security software you might include within the workload. Alternatively, you might use a virtual appliance-based version of a security control that is coupled with the workload and placed into the IaaS provider’s infrastructure. For raw storage, it’s the same thing. If you want the storage encrypted, you’ll need to think about doing that before the information is stored, or by using an agent in the workload you place in the Cloud.