An unfortunate and common misconception by many companies is that the cloud is somehow inherently secure from end-to-end. The truth of the matter is that responsibility for managing risk is shared between the client organization and the cloud vendor, and this varies depending on what cloud model is used. Consider open discussions with your current or potential cloud provider to inquire about how they handle the shared model. Good consultation on this topic can spare a business security issues made on assumptions.
While it is beyond the scope of this blog to detail why client organizations should pursue one cloud computing model over another, below is a brief list of each model and a description of what is being provided.
Cloud Computing Models
Cloud computing falls into three primary models:
- IaaS (Infrastructure as a Service) – Client organizations consume compute resources via a self-service portal and the cloud vendor supports the infrastructure. Examples include Amazon AWS, Microsoft Azure, Venyu Cloud.
- PaaS (Platform as a Service) – Client organizations are allowed to develop and run their applications on an operating system with compute and storage infrastructure that is managed by the cloud vendor. Examples include SAP Cloud, Google App Engine, IBM Cloud Foundry.
- SaaS (Software as a Service) – Client organization is consuming an application that is hosted by the cloud vendor. Examples include SalesForce, Dropbox, GSuite.
As mentioned earlier, each of these cloud computing models vary in the amount of risk management required by the client organization and the cloud vendor. The image below shows the standard division of responsibilities between the client organization and the cloud vendor. While some cloud providers may offer more or less security options in each, this is a good rule of thumb to begin your assessment.
As you can see from the image, SaaS solutions require the smallest amount of client responsibility for security, with PaaS being the next and IaaS requiring the most effort.
Keep in Mind
Although many client organizations will assume they only need to focus on sections of responsibility that apply to only them, it is important to also consider the cloud vendor as well. I find the idiom “Trust, but verify” applicable here. Selecting a reputable and stable cloud vendor seems obvious, but there is more to be evaluated when selecting a vendor.
- If you have certain regulatory requirements for your cloud, does the cloud vendor have the necessary certifications?
- Where are the hosting facilities geographically located and are there latency requirements for applications or regulatory constraints, to which you need to adhere.
- Has the cloud vendor experienced any security incidents or encountered any outages that caused a loss of availability for their customers?
- Be mindful of vendor lock-in. How easy would it be to move away from the cloud vendor should that be required down the road?
- Some cloud vendors provide additional security services and/or products to help improve their security posture. Talk to your cloud provider about this and take it into account, should you identify additional security technologies needed to protect your cloud services environment.
VENYU is Here
As always, if you have additional questions or would like someone to discuss cloud security in more depth with you, please open a support case using the customer portal (https://portal.myvenyu.com) or schedule a consultation (https://www.venyu.com/consultation/).