Securing The Cloud: Questions and Answers

Cloud presents a new consumption and delivery model that allows users to rapidly deploy resources, which can easily scaled up and down, with processes, applications, and services provisioned on demand. Cloud infrastructures and platforms present considerable advantages as users increasingly want to access applications on tablets and increasingly pervasive devices.

However, given that this model presents data and security changes, it is essential to factor in which cloud computing models are most appropriate for an organization. The big questions with cloud security boil down to: Where is my data? Who will be able to access it? And, how will I be able to maintain oversight and governance?

What Is Security in the Cloud?

Some people describe securing the cloud as a datacenter challenge, sometimes as a software issue, and sometimes as a data or device access issue. In reality, securing the cloud depends on working out where and how to apply those measures specific to your end user.

Indeed security services are continuing to develop, enabling a cloud delivery model and allowing us to have security increasingly delivered in cloud services. This will be applied to both the cloud infrastructures and to services in their own right. In essence the cloud model is evolving as one of the core models for delivering services.

What Has Changed for Security as We Transition to the cloud?

In considering cloud security, it is essential to understand what changes are involved in adopting cloud computing models. For example, multi-tenant infrastructures require isolation to be built in at the hypervisor, network, and storage layer..

Other categories talked about less frequently include cloud governance and how to evolve assurance where data center inspection is not practical when you are scaling a service for a week or even a day.

In looking at each of these, we have had to understand how we can deliver those elements in a cloud delivery model.

A Framework for Building and Articulating Cloud Security

In looking at security, the fundamentals still apply. Building security involves three essential considerations: Have we designed security into how we build the cloud? Have we understood this in the context of what we are trying to do? Have we got security running for these cloud environments?

To ensure we are communicating our approach we developed the cloud security reference model to help achieve this. This reference model covers eight categories ranging from cloud governance, security, and risk and incident management to infrastructure protection and personnel and physical security.

Aspects such as patch management and vulnerability scanning are able to be put into the areas of context in this example of securing infrastructure and protecting against threats and vulnerabilities.

The reference model also allows for setting expectations about what the cloud provider would do and what the customer is expected to do.

In relation to patch management including the process of determining what patches are available, and where they should be applied to both the environment the cloud provider is managing and the elements the customer chooses to manage themselves. The reference model allows these conversations to be discussed in a structured way.

Security by Design

This framework is our way of communicating the approach. Layered on to this is the design, build and consume approach to delivering and enabling cloud security.

This starts with the design approach. Enabling security starts with us designing security into the build. For many of us in building security through designing people, processes and technologies are design elements we have established over many years and are now applying them to cloud.

The design phase is about understanding that a one-size-fits-all approach to security in the cloud will not work. It is about getting the appropriate security in place for the workload or service that is being considered for the cloud.

The consume phase is about the delivery of security for the cloud, and about ensuring the services that are being delivered and the people, processes and technology approach to security articulated against a framework and reference model are understood and appropriate for that services.

In summary over the past several years, security concerns surrounding cloud computing have become the most common inhibitor of widespread usage. This often translates to where is my data, who will be able to access my data, and how will I maintain oversight and governance?

Each cloud model has different features which changes the way security gets delivered which also changes the way we look at security governance and assurance. Determining your desired security posture and enabling cloud in such a way that the new risks can be managed in a rapidly changing landscape.