Security in the cloudsphere - Part 1
In this four-part series, we would deconstruct how cloud security is a vital cog in the overall enterprise security wheel. In any business, there is at least one component of software or service which has a footprint in the cloud. It could be as trivial as using Gmail or Outlook, as thorough as Amazon Web-service (AWS) or MS Azure and more complicated as using Internet of Things (IoT). Before we get to the business side of security, let us first understand the subtle differences in cloud types & services.
According to NIST SP 800-145, there are four different types of cloud environments in use across the Internet. Currently used cloud environments can be described as follows:
- Private cloud – The cloud infrastructure is provisioned for exclusive use by a single organization comprising multiple consumers (e.g., business units). It may be owned, managed, and operated by the organization, a third party, or some combination of them, and it may exist on or off premises.
- Community cloud – The cloud infrastructure is provisioned for exclusive use by a specific community of consumers from organizations that have shared concerns (e.g., mission, security requirements, policy, and compliance considerations). It may be owned, managed, and operated by one or more of the organizations in the community, a third party, or some combination of them, and it may exist on or off premises.
- Public cloud – The cloud infrastructure is provisioned for open use by the general public. It may be owned, managed, and operated by a business, academic, or government organization, or some combination of them. It exists on the premises of the cloud provider.
- Hybrid cloud – The cloud infrastructure is a composition of two or more distinct cloud infrastructures (private, community, or public) that remain unique entities, but are bound together by standardized or proprietary technology that CLIENTs data and application portability (e.g., cloud bursting for load balancing between clouds).
The types of Cloud Services are also evolving, but given the present, we can still look at them through these lenses.
(i) Software as a Service (SaaS)
- Cloud provider’s applications running on a cloud infrastructure
- Applications are accessible from various client devices, such as a web browser or a program interface
- e.g. Google Apps for Business
(ii) Platform as a Service (PaaS)
- Provides a platform for consumers to deploy applications
- Underlying platform is managed by the cloud provider
- e.g. AWS Elastic Beanstalk
(iii) Infrastructure as a Service (IaaS)
- Provides processing, storage, networks, and other fundamental computing resources
- Consumer is able to deploy and run arbitrary software, which can include operating systems and applications
- e.g. Amazon EC2, Windows Azure
Now that we have baselined the cloud concepts, in Part 2 of this series we would look at the risks echoed by companies and how to measure a cloud service provider's effectiveness. Stay tuned.
