In most organizations today, cloud services are a fact of life. Whether you’re deploying and managing servers in the cloud, building on top of a globally distributed platform, or consuming constantly updated services, the cloud is a fundamental part of your IT service delivery…whether you know it or not.
And why wouldn’t you move to the cloud? The business advantages are clear. You can greatly reduce the time to deploy new services, decrease your operational burden and costs, and rapidly iterate on new ideas.
It may require a cultural shift in your organization to accept extending trust to your cloud service providers (CSP). Top tier CSPs understand that they live and die on their reputation. It’s in their best interests to deliver a secure service to you.
But that’s not to say that you don’t have responsibilities for security as well. All cloud services (regardless of SPI model; IaaS, PaaS, or SaaS) use this simple model.
Of the main areas of security, the CSP is always responsible for:
Depending on the service, you may be responsible for securing the:
And you are always responsible for:
Put these areas together across all three SPI methods and you get figure 1, “Shared Responsibility Model”.
Looking at cloud security in this manner brings clarity. You can take each type of service (IaaS, PaaS, SaaS) and apply reasonable security controls in order to fulfill your day-to-day responsibilities
It’s important to note that we’re talking about day-to-day responsibilities here. You’re always responsible for the security of your deployments. However you delegate some of the day-to-day work to your CSP. In these cases, you have to trust but verify the work your CSP is doing.
When dealing with IaaS, most of the controls you are used to from the datacenter are still applicable. They’re just delivered in a different manner in order to optimize for the attributes of a cloud environment.
You see this with controls like intrusion prevent and filtering. Traditionally gateway controls, it is now much more effective to deploy them directly on an instance or virtual machine. This maintains the scalability and flexibility of the cloud without sacrificing security.
Platform deployments can be tricky to secure because of how intertwined your application is with the platform itself. This is a service type where secure design, a strong understanding of the CSP’s role, and programmable security controls are critical to a successful, secure deployment.
Securing software delivered as a service is typically accomplished using a combination of a CASB (cloud access service broker) and configuring the native service controls in order to meet your security needs.
Not So Fast…Please?
While the plan for securing each service type is clear, the pace of change in this space is a major challenge.
Cloud services (of all types) are readily available. It’s never been easier to stand up a new application or service.
This rapid pace of innovation is a huge boon to business. IT is finally a consistent enabler within the organizations.
The challenge is for security to keep pace. Innovation is at an all-time high in the security space, but even with current levels of investment and effort, it’s difficult for security controls to keep pace with the new services being developed.
This rapid pace of change is leading to more and more security solutions being required to properly secure the vast number of services that each organization is using.
Putting It Together
The average organization uses a lot of services. Ok, I’m sure there’s an actual number but it’s hard to nail down. Depending on the source, the average is somewhere between 5 and 700. So let’s settle on “lots”.
Solid guidance exists on how best to secure each of these services according to your needs. The challenge is stitching the security of each of these services together into a cohesive whole.
The industry (lead by organizations like the Cloud Security Alliance, of which Trend Micro is a member) is working towards a common goal to help address this challenge.
The goal is to provide tools that organizations can access to easily and work together (regardless of vendor) in order to provide a comprehensive security solution around cloud services.
The strategic vision and guidance is already in place with the Cloud Control Matrix (the CCM, a living document currently at version 3.0.1). This document lays out the types of controls that should be applied to various cloud services.
In addition to the CCM, there are a number of efforts in place to help organizations combine the right tools for their security needs. The Cloud Security Open API shows a lot of promise in helping make this a reality.
Separate from these efforts are the individual roadmaps for each cloud security tool. This is a very active and innovative space (yes, I realize I have a bit of bias here but just look around at the number of cybersecurity startups and established companies efforts, I think you’ll agree).
But each of these efforts are a medium term solution at best. Stay tuned to learn what organizations can do to address this problem. Looking forward to you comments below or on Twitter (where I’m @marknca).
[ Part II of this piece is now up and available at http://blog.trendmicro.com/keeping-your-sanity-securing-iaas-paas-and-saas-cloud-services-part-ii/ ]