Skip Links

SaaS, PaaS, and IaaS: A security checklist for cloud models

Key security issues can vary depending on the cloud model you're using. Vordel CTO Mark O'Neill looks at 5 challenges.

By Mark O'neill, CSO
January 31, 2011 03:10 PM ET

CSO - How does security apply to Cloud Computing? In this article, we address this question by listing the five top security challenges for Cloud Computing, and examine some of the solutions to ensure secure Cloud Computing.

Organizations and enterprises are increasingly considering Cloud Computing to save money and to increase efficiency. However, while the benefits of Cloud Computing are clear, most organizations continue to be concerned about the associated security implications. Due to the shared nature of the Cloud where one organization's applications may be sharing the same metal and databases as another firm, Chief Security Officers (CSOs) must recognize they do not have full control of these resources and consequently must question the inherent security of the Cloud. However, it is important to note that Cloud Computing is not fundamentally insecure; it just needs to be managed and accessed in a secure way.

All Cloud Models Are Not the Same

Although the term Cloud Computing is widely used, it is important to note that all Cloud Models are not the same. As such, it is critical that organizations don't apply a broad brush one-size fits all approach to security across all models. Cloud Models can be segmented into Software as a Service (Saas), Platform as a service (PaaS) and Integration as a Service (IaaS). When an organization is considering Cloud security it should consider both the differences and similarities between these three segments of Cloud Models:

SaaS: this particular model is focused on managing access to applications. For example, policy controls may dictate that a sales person can only download particular information from sales CRM applications. For example, they are only permitted to download certain leads, within certain geographies or during local office working hours. In effect, the security officer needs to focus on establishing controls regarding users' access to applications.

PaaS: the primary focus of this model is on protecting data. This is especially important in the case of storage as a service. An important element to consider within PaaS is the ability to plan against the possibility of an outage from a Cloud provider. The security operation needs to consider providing for the ability to load balance across providers to ensure fail over of services in the event of an outage. Another key consideration should be the ability to encrypt the data whilst stored on a third-party platform and to be aware of the regulatory issues that may apply to data availability in different geographies.

IaaS: within this model the focus is on managing virtual machines. The CSOs priority is to overlay a governance framework to enable the organization to put controls in place regarding how virtual machines are created and spun down thus avoiding uncontrolled access and potential costly wastage.

The following check-list of Cloud Security Challenges provides a guide for Chief Security Officers who are considering using any or all of the Cloud models. Note, some of these issues can be seen as supplementing some of the good work done by the Cloud Security Alliance, in particular their paper from March 2010 Top Threats to Cloud Computing [PDF link].

For CSOs focused on PaaS

Challenge #1: Protect private information before sending it to the Cloud

There are already many existing laws and policies in place which disallow the sending of private data onto third-party systems. A Cloud Service Provider is another example of a third-party system, and organizations must apply the same rules in this case. It's already clear that organizations are concerned at the prospect of private data going to the Cloud. The Cloud Service Providers themselves recommend that if private data is sent onto their systems, it must be encrypted, removed, or redacted. The question then arises "How can the private data be automatically encrypted, removed, or redacted before sending it up to the Cloud Service Provider". It is known that encryption, in particular, is a CPU-intensive process which threatens to add significant latency to the process.

Also see 4 real-world examples of cloud security in action

Any solution implemented should broker the connection to the Cloud Service and automatically encrypt any information an organization doesn't want to share via a third party. For example, this could include private or sensitive employee or customer data such as home addresses or social security numbers, or patient data in a medical context. CSOs should look to provide for on-the-fly data protection by detecting private or sensitive data within the message being sent up to the Cloud Service Provider, and encrypting it such that only the originating organization can decrypt it later. Depending on the policy, the private data could also be removed or redacted from the originating data, but then re-inserted when the data is requested back from the Cloud Service Provider.

For CSOs Focused on SaaS

Challenge #2: Don't replicate your organization in the Cloud

Large organizations using Cloud services face a dilemma. If they potentially have thousands of employees using Cloud services, must they create thousands of mirrored users on the Cloud platform? The ability to circumvent this requirement by providing single sign-on between on-premises systems and Cloud negates this requirement.

Users with multiple passwords are also a potential security threat and a drain on IT Help Desk resources. The risks and costs associated with multiple passwords are particularly relevant for any large organization making its first foray into Cloud Computing and leveraging applications or SaaS. For example, if an organization has 10,000 employees, it is very costly to have the IT department assign new passwords to access Cloud Services for each individual user. For example, when the user forgets their password for the SaaS service, and resets it, they now have an extra password to take care of.

More on cloud computing and security

* Cloud security predictions for 2011

* Cloud Security Alliance updates controls matrix

* Survey finds companies still struggling with cloud security

By leveraging single sign-on capabilities an organization can enable a user to access both the user's desktops and any Cloud Services via a single password. In addition to preventing security issues, there are significant costs savings to this approach. For example, single sign-on users are less likely to lose passwords reducing the assistance required by IT helpdesks. Single sign-on is also helpful for the provisioning and de-provisioning of passwords. [Editor's note: Also read Role management software--how to make it work for you.] If a new user joins or leaves the organization there is only a single password to activate or deactivate vs. having multiple passwords to deal with. In a nutshell, the danger of not having a single sign-on for the Cloud is increased exposure to security risks and the potential for increased IT Help Desk costs, as well the danger of dangling accounts after users leave the organizations, which are open to rogue usage.

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News