The cloud isn’t one thing, so securing the Cloud won’t be one thing either.
The industry has settled on a layered framework for understanding, comparing and selecting cloud-based services. Gartner’s model has these high-level layers (with subcategories in each layer):
- Infrastructure as a Service (compute, storage, etc)
- Platform as a Service (middleware-like services such as database, queuing, identity services, etc,)
- Software as a Service (finished applications such as salesforce.com)
- Information/Data as a Service
- Business Process as a Service
- Security and Management as a Service
According to Gartner research, the fastest growing segment of all of these layers is IaaS.
In this research note just published for clients, my colleague, Lydia Leong, and I talk about the security considerations for IaaS services. We provide a framework for looking at the provider’s security capabilities as well as thoughts on strengthening the self-defending capabilities of your workloads.
From the research note:
Ultimately, you are responsible for the security of the workloads and data placed into IaaS. More than with any other layer of cloud-based computing services, organizations have flexibility of security controls with IaaS offerings, as the security and compliance of data and workloads is a combination of the service provider’s capabilities and the security controls placed within the workloads themselves, such as a local firewall and host-based IPS.
If you want the workload you place up in the IaaS provider’s infrastructure (e.g. Amazon’s EC2) to be protected, you’ll need to think about what local host-based security software you might include within the workload. Alternatively, you might use a virtual appliance-based version of a security control that is coupled with the workload and placed into the IaaS provider’s infrastructure. For raw storage, it’s the same thing. If you want the storage encrypted, you’ll need to think about doing that before the information is stored, or by using an agent in the workload you place in the Cloud.
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.