How to make sure your cloud delivery platform is secure
Trying to find the right balance for the "hybrid" part of your cloud strategy? You have several decisions to make, particularly in regard to the business's security needs. In choosing a cloud provider and type of cloud model, "you need to know what you are responsible for and the threat level you are willing to accept," says Simon Leech, chief technologist for Hewlett Packard Enterprise's digital solutions and transformation team.
Public clouds come in an assortment of delivery models, each with its own security and privacy features: infrastructure as a service (IaaS), platform as a service (PaaS), and software as a service (SaaS). Let's use an example of a home security system to illustrate the differences.
An IaaS model provides a customer with infrastructure tools (compute, storage, and connectivity) and basic security tools—a firewall to protect the infrastructure and not much else. It is rather like living on a ritzy estate that has a 24/7 security guard who physically checks everyone coming in or going out of the estate. However, whilst the estate's properties have doors and windows, it's up to you to make sure they're locked when you go out.
Under a PaaS model, imagine the house has now got an alarm system, which gives you some protection if someone tries to break in. The alarm (metaphorically) keeps away attackers by regularly patching and updating the development platform and related IT systems. But if your teenage kids have a party when you go away for the weekend, that security system will not do anything to stop them from breaking your favorite vase (or the application you created).
A SaaS application delivery model is like having a fully automated 24/7 managed home security system, says Leech, with infrared sensors and Internet-connected cameras that can alert a third party about intrusions (or breakages) in any room, and let them respond appropriately. In this example, each room represents a different application used by a company, but fully managed and secured by the SaaS provider.
Cloud security responsibility
SaaS is often the easiest cloud delivery model for an organization to adopt. Examples include Google's Gmail, Facebook, and Salesforce. It applies to vertical applications as well, such as using Workday to provide HR services. All provide SaaS delivery by offering applications through portals rather than requiring installation on the user's computers.
With SaaS, the cloud service provider is responsible for everything security-related, from secure development of the online applications to antimalware protection, including the protection of the server or virtual server hardware infrastructure underneath. The customer's IT team administers only user identity authentication (that is, creating user logins).
You can outsource operations, but you can't outsource risk.
In PaaS cloud models, users and service providers share different responsibilities. PaaS vendors essentially provide a ready environment in which users can develop and deploy applications. The vendor supplies components such as perimeter firewalls, operating systems, storage, security, and system patches.
IaaS vendors let their customers install, maintain, and patch their own operating systems, antivirus, and other applications, in addition to assigning and maintaining security policies for the IaaS firm's own workers. The IaaS cloud services provide and maintain on-demand infrastructure such as compute, storage, and networking resources, which customer IT departments can provision to meet the needs of their own users.
"It's like buying a virtual compute instance, instead of having a computer actually sitting underneath your desk," says Leech. "It gives users access to larger, more powerful compute systems."
It's up to you to choose the level of service you need from a cloud provider, including how much IT infrastructure to leave to someone else rather than maintain yourself. But none of that decision-making means that IT departments give up their responsibilities for risk when it comes to the company's corporate and user data, privacy, and security.
"You can outsource operations, but you can't outsource risk," says Leech. "It's my risk to screw up badly or to deal with it."
When you're assembling and configuring a hybrid cloud, selecting the right public cloud delivery systems is just one critical decision in a long checklist of related tasks, including detailed risk assessments, data encryption, layered security systems, and security by design. Security personnel should be involved from the start to ensure that security and infrastructure topics are addressed.
"There are a number of things to think about at every step," says Leech.
Cloud security questions to ask potential vendors
Choosing the right public cloud delivery platforms to integrate into a company's cloud infrastructure is typically a challenging consideration. "The value of cloud services is not a one-size-fits-all decision," says Charles King, principal analyst at research firm Pund-IT.
"CIOs and other executives need to determine what their goals are when engaging with a cloud provider," King adds. Among the decision points is what information can be stored off premises and what can be stored on premises. "That's one of the reasons why hybrid cloud is popular."
"You have to have serious discussions with the cloud providers to know what they are doing," King says. Ascertain that what they do matches your security requirements. "The vendors will guarantee certain levels of security, certain levels of encryption, and specific data and application availability." Be sure that you and they share the same expectations.
King recommends you ask the following questions when evaluating cloud vendors:
- What data is encrypted in transit, to protect the data even if it is accessed by hackers?
- What specific encryption tools are used to protect the data? Different levels of encryption offer varying levels of protection. Why did the vendor choose this set?
- When and how will the cloud vendor notify your company about a breach? Does this occur immediately or after the vendor blocks it or takes some other corrective action?
- What detailed policies does the provider have in place to protect customer data before or after a discovered breach?
- What are the vendor's procedures to scrub its infrastructure of a company's critical data if the customer chooses to leave the service?
"The main thing is that companies need to keep their eyes open about every detail," King says.
Ultimately, no single public cloud model fits every use case for every customer, according to Leech. Most use combinations of all three. The decisions are ruled by users' security requirements, including specific use cases and the ease of implementation. For hybrid cloud users, it's that kind of flexibility that makes such services so appealing.
This article/content was written by the individual writer identified and does not necessarily reflect the view of Hewlett Packard Enterprise Company.