I’m being asked quite a lot at the moment about cloud security. Is it possible to secure the cloud, is there anything different about cloud security?
I believe that about 70% of cloud security is just good security and you would need to do it whether or not you’re in a cloud. The rules for user authentication, device hardening and audit, for instance, are not much affected by cloud.
Then, about 15% of cloud security comes from the fact that you don’t own the servers your system is running on. That doesn’t have to be a problem – we have been outsourcing IT services for years, with reasonable success from the security point of view. In a conventional outsource, the customer influences the provider by carefully specifying his requirements and incentivising good behaviour. In a cloud environment, it’s similar, but the cloud provider’s contract will be a standard utility contract. The customer influences behaviour by selecting the provider with the best standard contract, and monitoring for compliance. The customer influences the provider by making it clear that poor security will rapidly lead to loss of business. If done properly, there’s no reason why a cloud service can’t be at least as secure as an outsourced or in house service. This isn’t a technical issue though – it’s a commercial risk and relationship management issue.
The final 15% of cloud security is unique to clouds and handles the mobility and layering that characterise cloud-based services. No two clouds are exactly the same, of course, but we can construct a generic model that will handle most cases. The generic model allows us to:

  • Split a service up into several layers (IAAS, PAAS, SAAS etc) which are provided and managed separately.
  • Run up and tear down a layer instance efficiently and securely.

My proposal for a generic model states that every layer instance (whether IAAS, PAAS or SAAS) comprises a similar set of components and must support some similar types of access.
The components of the layer instance are:

  • The unique identity (what uniquely identifies and names this instance, with its credentials)
  • The fixed image (the unchanging code that defines the service offered by the component)
  • The internal working store (not shared with other components)
  • The business data (shared with other components)

The accesses supported and required by a layer instance are:

  • Access by end users (if any)
  • Access by operators and administrators
  • Access by networked peer applications
  • Access by other tenants (in most cases, this will be forbidden)
  • Access by the upper layer (if any)
  • Access to the lower layer (if any)
  • Access to business data (if external to the instance)
  • Access by monitoring and audit applications

Each of these accesses must be provisioned/de-provisioned, controlled and monitored securely.
This generic model defines 8 accesses and 3 security services for each access. These 24 services make up what is unique about cloud computing.
Although we have 24 conceptual services here, the physical implementation will probably have considerable commonality; for instance, a good TLS implementation will cover about half of them.
These 24 services seem to map cleanly onto any secure virtualised environment where mobility and layering are required.