Cloud security is critical in cloud projects. But is it only in the hands of the cloud provider or is it a collaborative effort? The answer is easy.
The Objectives of Cloud Security
The goals of IT security include integrity, confidentiality, authenticity, availability, accountability, privacy, and liability. These goals apply to cloud systems too, but they aren’t easy to apply because of differences in requirements across application architectures.
What is consistent is that security measures are to be defined for four levels of control: information, people, applications, and infrastructure.
Cloud systems can have elements of IaaS (Infrastructure as a service), SaaS (software as a service) and PaaS (platform as a service). In the first, the vendor only provides the virtual or physical infrastructure. In PaaS, infrastructure and databases are provided, while the customer provides the data content and applications. In SaaS, cloud vendor provides everything from infrastructure to application.
Responsibility for security in the various cloud models are divided between the vendor and the customer. In various models, various levels of responsibility lie with the customer. Security at the user control level include access management and identity management. In SaaS and PaaS models, responsibilities for security in these areas are shared. In IaaS, they are the consumer’s job. The vendor is responsible for API security and auditing.
Measures for data control include monitoring of file and data activities, collecting and classifying data, masking and encryption, data access control and secure erasure. In IaaS, these are in the customer’s domain. In PaaS, the cloud provider is responsible for providing sophisticated data protection and monitoring tools.
Application security measures include design and source code analysis, vulnerability testing, security testing, secure deployment and continual runtime protection against threats and manipulation. In SaaS, security tasks are shared, since the vendors provide the software while user controls data. The vendor must deliver secure application with features like application security management, application code scanning, and vulnerability detection.
In SaaS, the consumer must secure endpoints. In other models, the consumer may be responsible for network security, endpoint security, physical security and encryption of communication. Cloud providers may offer other services for infrastructure security, such as identity and access management.
However, businesses aren’t on their own with security. Your cloud vendor can help you comply with security regulations and guidelines. You may need certifications like COBIT, SOC-2 and others.
Overall, cloud security is a joint effort between the consumer’s IT team and the cloud vendor. It is also important to decide who has control of the various elements of the cloud system. It will determine where and how security measures will be applied, especially on data.
The other option is to outsource the whole process. Learn more about Advanticom’s technology consulting to see which option is right for you.