Part III Security Consideration Based on Cloud Service Category
· Infrastructure as a service (IaaS) Security
IaaS is characterized by the cloud provider maintaining the underlying physical infrastructure, and customers control the nodes from the ground up starting at the operating system level. Here you are deploying your own workloads in terms of containers so extra considerations should be made. This is very similar to a private cloud in regards to your security concerns, except that the cloud provider typically provides autoscaling, resource management, and network security.
Security Concerns with Auto Scaling
Expansion and auto scaling are two of the inherent features of cloud, but they do come with some security concerns. When the cloud expands all the user access and authorization must maintain their integrity and not break altogether. Similarly, each system should be carefully scanned for vulnerabilities because when the platform auto scales these vulnerabilities also scale and become more difficult to manage at later stages.
Physical Security
As the cloud customer of an IaaS service you don’t have to worry about the physical security of the assets as it is managed by the cloud provider.
Multitenancy
Multitenancy introduces a whole slew of problems. If a tenant is under any kind of attack the attack can also propagate to other tenants that are on the same cloud host. For example, if one tenant is under a denial of service attack than other tenants on the same host will also suffer because resources of the host such as processor, memory and network capabilities of the underlying hypervisor are all being consumed by the attack.
Colocation of Threat
Since multiple VMs or Containers are hosted by the same hardware a threat that exists on a VM or one container can potentially travel to the adjacent container.
Hypervisor and VM Security
In a cloud environment with virtualization a hypervisor sits between the physical hardware and the hosted VMs. This layer doesn’t exist in an appliance-based datacenter, so this adds another consideration if you have to manage infrastructure in a cloud environment. Moreover, if a VM gets compromised on a hypervisor the attack can easily propagate to other VMs as they are hosted on the same hypervisor.
Network Security
Security monitoring and auditing capabilities that are available on a traditional datacenter are very difficult to provide on a cloud environment because of the multi tenancy issues. In fact most cloud providers are adopting the “Zero trust policy” which allows you visibility to only your apps on the cloud network and if you do a scan it will appear as though you are the only host on the network.
· Platform as a Service (PaaS) Security
In PaaS the cloud vendor is responsible for provisioning the platform that is needed to run customers applications. This includes things like the operating system, libraries ETC. The most common PaaS cloud services are web servers, where the cloud provider provides the web server environment and the customer provides the web site itself.
Strict Security Controls
Cloud providers have strict security controls for the PaaS model. Users aren’t allowed access to system level configurations. This ensures that users don’t misconfigure the system causing vulnerabilities in the system. Also, this lack of control makes patching and other security controls easier to manage for the cloud vendor because of the consistency in the provided platform.
· Software as a Service (SaaS) Security
In the SaaS model everything including the infrastructure, platform and application is provided by the cloud provider to the customer. The cloud provider is responsible for the vast majority of the security issues in its platform, infrastructure and applications.
The main responsibility of the customer is to handle the user access and permissions to data. So, the customer should carefully evaluate all the security policies as they pertain to data and permissions and should have a strict contractual agreement with the provider for compliance, audits etc.
User Access
As the workload is moving to more and more SaaS applications, users are required to remember a lot of passwords and URLs and this can lead to security issues as a user tries to use the same password across multiple services, a simple weak password they can remember more easily, or writing them on post its, making them easy to compromise. So organizations should have a single sign on solution such as IBM Identity Management where they can log on to all their SaaS applications using two factor authentication.
Revoking Access
Access revocation is more important in SaaS due to the large number of SaaS applications that a typical organization has. The organization could fail to revoke user access in some applications and that could lead to disastrous results if a disgruntled employee misuses the access that should have been revoked in case of them leaving the company. Fool proof access revocation policies should be in place.
Secure Directory Integration
As organizations move to the cloud they want to utilize their existing user directories like AD or LDAP rather than creating a parallel directory for cloud. Make sure that the SaaS solution you adopt has the capability of integration with your existing directories and that it uses industry security standards such as TLS 1.2 or greater.
Access Visibility
Due to the anytime, anywhere, any device access nature of SaaS, an organization should be aware of who is accessing what resource and from where. An identification and access management solution that ensures this access visibility should be an essential consideration when deploying a SaaS solution.
Data Permissions
When using a SaaS service in a public cloud, concerns about data security are normal because your data resides in an environment where it is potentially accessible to other companies or individuals such as the cloud provider or its employees. You may also not know where it resides physically, and the cloud vendor may put it geographically in a data center where your regulations don’t allow it to be. Moreover, there are concerns about another tenant who is a competitor having visibility into your data. Other issues are how the data is backed up, how the keys are managed (remember data at rest encryption), and what happens if keys are lost. Organization should implement a multilayered approach to protect their data. this approach should be comprised of elements such as encryption, access control, key management, security intelligence, data base audit protection such as IBM Guardium, and security information and event management systems. IBM Cloud Pak For Security combines many of these features into one product.
In summary most of the concepts of security are similar for the traditional data center and for cloud environments. Considerations vary based on the deployment models and services categories. Before deploying your apps in the cloud choose a deployment model and service category that best meet your security needs, things such as if you want segregation of networks, need auditing and monitoring capabilities, or finer grained access to configurations. If you have already inherited a deployment model than you also have the option to tailor your security policy so that it aligns with the model.