Sometimes I Can’t Tell Where You End and I begin: Security
Cloud computing provides a flexible method to rapidly deploy new applications and services to your organization. There are certainly operational advantages to utilizing cloud computing within the portfolio of services in the enterprise. From a security perspective, the challenges are determined by the service model that you choose to deploy. Security controls, and the assurance that the controls are in place and operating effectively, is one of the goals of an IT Security Program. For instance, if you own a private cloud, you are responsible for the security of all layers from the physical infrastructure, to the applications and data access controls. You are also responsible for the assurance that the security controls you put in place are working as well.
The level of effort for implementing security controls decreases as you move through the service models. Private>IaaS>PaaS>SaaS. But the level of effort for the assurances that the security controls are working does not reduce in the same way. You still need to validate them. You also need to understand what the cloud provider is responsible to protect vs what you as the consumer are responsible for. If the cloud provider is not protecting the application layer, then you are still on the hook for that. And if you and your organization don’t have the expertise and experience to protect application layer assets today on company owned infrastructure, chances are you won’t have them tomorrow. So while the storage and compute, and even the application server itself are secured by the cloud provider, the rest is up to your organization.
I believe that most reputable cloud providers provide reliable and secure offerings. It is up to the users of these services to fully understand their role in security and assurance when using them, and what that relationship with the provider is going to look like moving forward.
To better understand where the responsibility and accountability for the implementation of security for any cloud environment resides, I would take a look at some of the guidance that is available from the National Institute for Standards and Technology (NIST), The Cloud Security Alliance, and the International Standards Organization (ISO). There is overlap within the guidance, so find one that suits your organization’s management style. Review the recommendations from the guidance that is appropriate and then determine who is going to implement each requirement, what the criteria for success would be, and the methods you would use to gain the assurance that the methods put into place to enforce security controls are working.