Security and Compliance: IaaS, PaaS, and Hybrid Cloud

Security and Compliance: IaaS, PaaS, and Hybrid Cloud

Heather Hinton (IBM Corporation, USA)
DOI: 10.4018/978-1-5225-0759-8.ch008
OnDemand PDF Download:
$30.00
List Price: $37.50

Abstract

Despite a rocky start in terms of perceived security, cloud adoption continues to grow. Users are more comfortable with the notion that cloud can be secure but there is still a lack of understanding of what changes when moving to cloud, how to secure a cloud environment, and most importantly, how to demonstrate compliance of these cloud environment for regulatory purposes. This chapter reviews the basics of cloud security and compliance, including the split of security responsibility across Cloud provider and Client, considerations for the integration of cloud deployed workloads with on-premises systems and most importantly, how to demonstrate compliance with existing internal policies and workload required regulatory standards.
Chapter Preview
Top

Introduction

Despite a rocky start in terms of perceived security, cloud adoption continues to grow. Users are growing more comfortable with the notion that cloud can be secure. A recent study by the Economist Intelligence Unit found that “the most mature enterprises are now turning to cloud strategies as a strategic platform for growing client demand and expanding sales.” (Columbus, 2015; Economist Intelligence Unit, 2015). While initial fears of would-be-cloud-adopters focused on the security of the Cloud provider’s environment, most analysts have now moved beyond that to focus on governance of the client’s cloud-hosted workload.

Charting the change in viewpoint, in 2013, typical articles all cited cloud as insecure and not safe for data and workloads:

The biggest risk when it comes to cloud computing is that you never know what is up ahead. Hackers have been around from the start and they are not going anywhere any time soon. And as technology advances, so do the risks that come with adopting them…”The cloud is not for everyone,” [Neil] Rerup said. “Like with all solutions, you have to weigh what level of risk you are comfortable dealing with.” (Angeles, 2013)

By late 2014, the overall tone was changing to recognize that while breaches will still occur when using cloud, it is not going to be the cloud provider’s fault:

Cloud data breaches are a sure thing. Forrester doesn’t mince words with this one, saying that CIOs should expect to encounter a breach in the cloud – and that it will be their fault, not the SaaS provider. “The culprits will likely be common process and governance failures such as poor key management or lack of training or perimeter-based thinking by your security department,” the report states. (Gagliordi, 2014)

And by 2015, analysts such as Jay Heiser of Gartner, were articulating the need for clients to move beyond security and embrace oversight and governance, in particular for the client’s own use of the cloud:

The ongoing concern about cloud ‘security’ is distracting from what is ultimately the more significant concern “how are you going to ensure that your employees make appropriate, safe and secure use of applications that you are not running in house?” The biggest ‘security’ problem isn’t that SaaS vendors are being hacked, its that your users are putting sensitive data into SaaS without recognizing that they need to control access and usage. Its time for the cloud risk community to evolve beyond superficial concepts of ‘cloud security’ and start strategizing ‘cloud governance’ approaches. (Heiser, 2015)

Despite this encouraging move to cloud, and the need for cloud governance, there is still a lack of understanding of what changes when moving to cloud, how to secure a cloud environment, and most important, how to demonstrate compliance of these cloud environment for regulatory purposes. This chapter introduces the basics of understanding the roles and responsibilities for Cloud security, how to secure a cloud-hosted workload, how to integrate this with in-house, or on premises systems, and most importantly, how to approach governance through compliance with existing internal policies and workload required regulatory standards.

Top

Background

IaaS – Infrastructure as a Service - is the most basic of Cloud offerings. IaaS platforms provide physical and virtual servers in a consumptive, on-demand manner. These resources are deployed by the provider’s orchestration and automation tools; they use the provider’s network infrastructure to interconnect the servers to each other and to the Internet and/or the client’s internal, on-premises network. IaaS services are typically “self-serve” where the client has complete control over their deployed environment. Well-known IaaS providers include Amazon Web Services (AWS), Microsoft Azure, Google, and IBM SoftLayer. Some providers also include a “managed services” option, by which the provider will handle the operational management (configuring, maintaining) of a cloud environment, such as with IBM’s Managed Services for Cloud.

Key Terms in this Chapter

Client: In this context, the entity that has signed up for and is a paid customer of a provider.

RPIE (Request, Perform, Inform, Evidence): The lifecycle of an action to be performed, from its initial invocation of the action (Request) to the validation and completion of the action (Perform) to the completion of the action with including the action’s status (Inform) and the use of information on the request’s completion (Evidence). Intended to be a closed loop, in that the Requestor uses Evidence to ensure the request was properly fulfilled, and the Perform(er) produces Inform(ation) to demonstrate that they have properly completed the action.

Shared Responsibility Control: A control that requires input and action from more than one entity to complete. In such a model, it is critical that each entity understands the limits of its role and how to interact with the other entity to provide a model that correctly implements a given control.

Sole Responsibility Control: A control that is request, completed, logged and monitored for correctness by a single entity with no input from any other entity.

Responsibility (for a Control): The entity that is expected and required to correctly implement a control without input from any other entity.

Cloud Provider: In this context, the entity that is providing services in a cloud-consumptive fashion.

Control(s): The tools and procedures in place to implement a policy. Controls may be implemented with tools (including services, programs and other automation based means), for example, an access control system. Controls may be implemented by human or manual action, for example, checking a user’s driver’s license to ensure their identity.

Compliance: The state of adherence to policies and procedures by tools and actions within a system.

Framework: In this context, framework, also known as a security framework, or policy framework, refers to the high level grouping of similar controls designed to address a given risk family.

Governance: The process of ensuring that policies are followed (that the required controls are in place an operational). Unlike an audit, which is typically a short exercise conducted over a short period of time, governance as a whole is on-going and intended to ensure continued compliance with required policies.

Complete Chapter List

Search this Book:
Reset