Security in the Clouds

“There is no security on this earth, there is only opportunity.”
General Douglass MacArthur

Think about it. If a five-star general with more than a passing acquaintance with the Sherman tank wasn’t convinced security existed even after winning WWII, who can blame IT professionals for still having a few doubts about the safety of cloud computing? Unlike previous computing revolutions IT has weathered (mainframe to client-server, client-server to Web), cloud computing challenges traditional security assumptions and approaches. For starters, there are actually three models of cloud computing, each with its own level of exposure, risk and security needs.  Here’s a quick look at each and how the Cloud Security Alliance (CSA) describes their individual security concerns.

Infrastructure as a Service (IaaS)
IaaS providers deliver complete computing platforms over the Internet for use on VMs. These platforms can include any or all these resources:

• Operating system
• Memory storage
• Processing power
• Applications
• Other fundamental computing resources

Although consumers do not manage or control the underlying cloud infrastructure with IaaS, they do have control over operating systems, storage and deployed applications. There are typically few integrated security capabilities in IaaS. Users are responsible for managing and securing operating systems, applications and content.

Software as a Service (SaaS)  
SaaS providers deliver software functionality over the Internet, enabling end users to gain access via a Web browser and use without having to install the software locally. Consumers do not manage or control servers, operating systems, storage or individual application capabilities. That means providers have total responsibility for security. In other words, if the provider does not encrypt data, user data is not encrypted.

Platform as a Service (PaaS)
PaaS providers deliver complete development environments in which developers code, host, and deliver applications. In addition to the underlying infrastructure, this environment typically includes development tools, Application Programming Interfaces (APIs) and related services. Although developers do not manage or control the infrastructure—the network, servers, operating systems or storage — they do have control over deployed applications and in some cases the application-hosting environment configurations. Typically there are few built-in security features with PaaS, Developers do, however, have the flexibility to add more and should pay attention to application security, as well as security issues surrounding APIs.

The brightstack Approach
brightstack’s approach is to treat each of these under our umbrella of “Technology as a Service.”  As such, the management of security becomes much more about the tools, processes and people rather than the specific technologies implemented.