Part II Legacy Infrastructure vs Cloud: Changing Security Considerations.
2. Cloud Systems
For cloud the security considerations are highly dependent on the cloud deployment models such as public, private or hybrid and on the cloud service categories such as Infrastructure as a service (IaaS), Platform as a Service (PaaS) and Software as a Service (SaaS)
Security Considerations Based on Deployment Models
· Public Cloud Security
A public cloud is typically owned by a private company or an organization and is open to the public for services provided by it. Some examples are office 365, Google Cloud, box, AWS, Azure, and IBM Cloud.
There are some pros and cons of using public clouds in terms of security. Cloud vendors have years of experience managing their infrastructure and thus have seen most security issues and have controls in place such as enterprise class firewalls and even more sophisticated machine learning based monitoring, have redundancy for hardware failures, and multiple layers of physical security. Some of the cons include that your are sharing the environment with other tenants, your data is accessible from anywhere and travels over the open internet, your data maybe placed in geo locations where it should not be, you are dependent on vendors terms of service, and the vendor could potentially access your data, including via malicious insiders. A more subtle consideration is that attackers target these public clouds since they can get the most “bang for their buck”. For example, many security breaches have occurred due to insecure AWS bucket permissions.
So when considering security on a public cloud you must ensure that your vendor is secure, other tenants aren’t able to see your data, that the vendor has been in business for a long time, and has the resources to continue to be around for a long time. Make sure data doesn’t cross geographic boundaries if you have limitations, or to ensure compliance with data privacy legislation.
· Private Cloud Security
Private cloud is owned by a company or an organization which runs its own data center and is used for its own purposes such as different departments inside the company. Since the organization owns all the hardware, software and physical space there are several security advantages such as:
your data has physical security, you have control how you access data, no concerns about cloud vendors closing down, you have architectural control on security measures, and stricter security compliance is possible.
On the other hand if you go the private cloud route you have to be responsible for doing all the security yourself and can’t take advantage of the network effect that you may have from a public cloud where they learn and strengthen security because they have visibility into a lot of customers.
Private clouds are similar to legacy networks in this regard. That is, your organization is responsible for their security, and you must protect them yourself.
· Hybrid Cloud Security
The hybrid model consists of a combination of public and private deployments. In a hybrid model customers have a great deal of flexibility because they can keep systems that need more control and stricter and finer grained compliance than a public cloud can provide under their own control, and put other less sensitive apps on public cloud if they just need auto scaling, pooled resources and metered billing features of a cloud rather than stricter security controls. A solution such as IBM cloud pak for security addresses the security challenges faced by hybrid cloud environments.
Following is a summary of controls available to the security practitioner for each type of deployment models
For security considerations based on cloud service category please read part III.
