Cloud Security

What was before the Cloud?

Before the cloud, organizations purchased their own computer systems to run the applications software needed to run the business. These computer systems were located in the organization's facilities, and managed by teams of experts. While not always the case, often there was more than one computer system (or server) per major application. That was quite expensive, someone noticed that out of all of their computer systems, only a few were completely busy at any given moment in time. Most were idle, there were many wasted resources.

So, a new way of using server hardware was developed called virtualization, which actually comes from old technology in mainframe computing that lets a single server run the operating system and application from multiple servers simultaneously. The virtualization consolidates workloads onto fewer servers, increasing their utilization, and saves money. It wasn't long until most datacenters were transformed from rows of computers hardware dedicated to specific applications, into a collection or pool of general hardware resources running virtualized applications.

How was the Cloud Created, and its purpose?

Along with virtualization came some entrepreneurs who built enormous datacenters filled with generalized computer hardware, to offer Infrastructure (Computing) as a service.

This type of cloud computing is called IaaS, Infrastructure as a Service. IaaS provides organizations with networking, storage, physical servers, and virtualization, while users must still provide computers with operating systems, middleware, data, and applications.

Types of Clouds Services

PaaS

Service Providers rent cloud-based platforms for software developers to develop and deliver applications. This service, named Platform-as-a-Service or PaaS, provides the OS and middleware in addition to the elements provided by IaaS. This service makes it easier, more efficient, and cheaper for organizations to build, test, and deploy applications.

SaaS

Software-as-a-Service SaaS. In this cloud service, the software, is hosted by a third party. Typically, the end user connects to the application using their browser. Common examples of applications available through SaaS are Google Mail, Salesforce, and Netflix.

Understanding Cloud Security

When applications are hosted in a company's own datacenter, the security picture is straightforward: "You put the appropriate security technology at the right locations to address the specific security concerns."

Security in the cloud though does come with its challenges. Cloud security is a shared responsibility between the cloud provider and the customer utilizing the cloud services. Designed in layers, security includes both the physical components and logical components.

The Cloud Security Provided by IaaS Vendors

The cloud infrastructure provided by IaaS vendors, for example, is protected in various ways. From an availability point of view, the infrastructure is designed by the vendor to be highly available, and it follows that the infrastructure's uptime is the responsibility of the vendor. From a security point of view, the vendor is only responsible for securing the infrastructure it provides. As a customer, when you install one or more virtualized applications in the vendor's cloud infrastructure, you are responsible for securing the access, the network traffic, and the data applications.

Now, most vendors supply some form of security tools so that various parts of the customer's cloud applications environment can be secured. However, these tools can pose a few problems. First, these tools tend to provide only a few, basic security functions, and they are the same tools vendors use to secure the underlying infrastructure. If an attacker were to bypass these tools at the infrastructure layer, they would likely be able to bypass them at the customer's application level as well. Second, and perhaps more important, is the fact that many organizations operate in a hybrid world where some of their applications remain hosted in their own datacenters, some in Vendor-A IaaS, some in Vendor-B PaaS, and some in Vendor-C SaaS. This is what we call a "Multi-Cloud" environment, and it comes with multiple security issues: multiple, independent, uncoordinated security issues, where disorganization scales geometrically with the number of cloud vendors involved. On top of that, highly trained security stuff are scarce to start with.