What’s new about cloud security?

Publish date:

I’m being asked quite a lot at the moment about cloud security. Is it possible to secure the cloud, is there anything different about cloud security? I believe that about 70% of cloud security is just good security and you would need to do it whether or not you’re in a cloud. The rules for […]

I’m being asked quite a lot at the moment about cloud security. Is it possible to secure the cloud, is there anything different about cloud security?
I believe that about 70% of cloud security is just good security and you would need to do it whether or not you’re in a cloud. The rules for user authentication, device hardening and audit, for instance, are not much affected by cloud.
Then, about 15% of cloud security comes from the fact that you don’t own the servers your system is running on. That doesn’t have to be a problem – we have been outsourcing IT services for years, with reasonable success from the security point of view. In a conventional outsource, the customer influences the provider by carefully specifying his requirements and incentivising good behaviour. In a cloud environment, it’s similar, but the cloud provider’s contract will be a standard utility contract. The customer influences behaviour by selecting the provider with the best standard contract, and monitoring for compliance. The customer influences the provider by making it clear that poor security will rapidly lead to loss of business. If done properly, there’s no reason why a cloud service can’t be at least as secure as an outsourced or in house service. This isn’t a technical issue though – it’s a commercial risk and relationship management issue.
The final 15% of cloud security is unique to clouds and handles the mobility and layering that characterise cloud-based services. No two clouds are exactly the same, of course, but we can construct a generic model that will handle most cases. The generic model allows us to:

  • Split a service up into several layers (IAAS, PAAS, SAAS etc) which are provided and managed separately.
  • Run up and tear down a layer instance efficiently and securely.

My proposal for a generic model states that every layer instance (whether IAAS, PAAS or SAAS) comprises a similar set of components and must support some similar types of access.
The components of the layer instance are:

  • The unique identity (what uniquely identifies and names this instance, with its credentials)
  • The fixed image (the unchanging code that defines the service offered by the component)
  • The internal working store (not shared with other components)
  • The business data (shared with other components)

The accesses supported and required by a layer instance are:

  • Access by end users (if any)
  • Access by operators and administrators
  • Access by networked peer applications
  • Access by other tenants (in most cases, this will be forbidden)
  • Access by the upper layer (if any)
  • Access to the lower layer (if any)
  • Access to business data (if external to the instance)
  • Access by monitoring and audit applications

Each of these accesses must be provisioned/de-provisioned, controlled and monitored securely.
This generic model defines 8 accesses and 3 security services for each access. These 24 services make up what is unique about cloud computing.
Although we have 24 conceptual services here, the physical implementation will probably have considerable commonality; for instance, a good TLS implementation will cover about half of them.
These 24 services seem to map cleanly onto any secure virtualised environment where mobility and layering are required.

Related Posts

Cybersecurity

Insider Threats: Getting to the left of Boom!

Dan Leyman
Date icon February 15, 2021

Mature, effective insider risk programs take the necessary next step to prevent insider...

Cybersecurity

IAM’s role within your enterprise cyber framework

Chris Williams
Date icon February 10, 2021

A strong IAM infrastructure can help the organization effectively apply its policies and...

Cybersecurity

Cybersecurity in 2021: Four predictions

Geert van der Linden
Date icon February 10, 2021

COVID-19 has heightened the importance of cybersecurity as a business enabler, giving...