Cloud Computing Shared Security Responsibility Model
|
thumbCloud security is becoming a critical concern as its adoption rate to run organizations' essential workloads of applications and database services is rising. These cloud security concerns have led to organizations developing and implementing new cloud security policies and strategies to take advantage of cloud computing features and benefits. "However, the challenge exists not in the security of the cloud itself, but in the policies and technologies for security and control of the technology. In nearly all cases, it is the user, not the cloud provider, who fails to manage the controls used to protect an organization's data." As a result, there is a continued cloud security debate on how much cloud customers understand their cloud security responsibilities. This brought about the concept of "The Cloud Computing Shared Security Responsibility Model" for all Cloud Service Providers (CSPs) for Cloud Consumers. Let's have a brief look at what features and benefits constitutes cloud computing. Organizations/companies regardless of size and revenue are increasingly adopting cloud computing to host their business-critical applications and database services. The primary reason for this significant shift of enterprise data migration from on-premise hosting to cloud computing has been associated with its many advantages of high availability, scalability, and effective cost management. There have been several definitions of cloud computing; among the most widely accepted is the one put forward by The National Institute of Standards and Technology (NIST). According to NIST, "Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction." The definition outlined the critical features of cloud computing that have made it a de facto infrastructure, platform, and software-as-a-service solution for privately owned organizations and have also been vital in the modernization of federal government agencies and organizations' information management systems. Cloud customers' understanding of their cloud computing deployment and service models road map is critical in cloud security. Cloud Computing Deployment and Service Models Cloud Service providers (CSP) (for example, Amazon Web Services, Microsoft Azure, Google Cloud, etc..) provides varying cloud deployment and service models for cloud customers. See Cloud-computing comparison on various CSPs service models and services. The primary cloud deployment models are as follows: · Private Cloud · Public Cloud · Hybrid Cloud · Community Cloud The leading cloud deployment service models are: · Infrastructure-as-a-Service (IaaS) · Platform-as-a-Service (PaaS) · Software-as-a-Service (SaaS) The cloud deployment and service models are critical in defining cloud customers' applications and data security environments as this are where the cloud computing shared responsibility comes into play. The cloud shared security responsibility model varies based on the adopted cloud deployment and service model. It clearly, defines where the CSPs and cloud customer security responsibility on cloud services and applications starts and ends. Therefore, CSPs must ensure cloud customers adopting their cloud services better understand their cloud shared security responsibility model. A better understanding of the shared security responsibility model is the first step to achieving cloud computing data security. However, this has been a challenge for cloud customers. There has been continuous evidence of enterprise environments data breaches originating from insecure; cloud deployment, misconfigurations, and lack of understanding of cloud security services implementations. CSPs and Cloud customers are both liable to ensure they provide adequate security on their designated boundary of shared security responsibility in the cloud. A clear indication of this was during the senate investigation of the Capital One bank data breach that involved Amazon Web Services (AWS). According to the investigation, AWS, just as Capital One bank was held equally responsible for the cyber attack for failing to implement adequate security safeguards against "server-side request forgery" (SSRF) attacks that the attacker used to access the information of over 100 million customers from both the United States and Canada. As a result, it is essential for both CSPs and Cloud Customers' to have a clear understanding of who is responsible for "Security of the Cloud" and “Security in the Cloud." Understanding the concepts of "Security of the Cloud" and "Security in the Cloud" In an on-premise traditional environment that can also be a private cloud environment, the organization's security responsibility is for the entire infrastructure, platform, and software stack. This responsibility includes and is not limited to physical data centers hosting the physical servers to the virtualization platform consisting of database services and applications services. The CSPs in the cloud computing services models (IaaS, PaaS, and SaaS) eliminates the ongoing cost and security associated with the operations and maintenance of physical data centers hosting physical compute, database, networking, and storage services. As defined, the CSPs responsibilities of cloud computing include all the global infrastructure of hardware and software services that constitutes the cloud underlying infrastructure hosting all cloud customers’ operating systems(OS), applications and database solutions. That level of cloud security responsibility is referred to as the “Security of the Cloud.” Cloud customers' security responsibility starts with every workload (for IaaS(including operating system(OS) and PaaS) and application services (SaaS) they provisioned into cloud computing platforms. Cloud customers need to understand the traditional on-premise security practices of application processes, and database services that can also be applied in cloud computing services regardless of CSP. The cloud computing services adopted by cloud customers are crucial to their security responsibility. For example, cloud customers who want to have complete visibility into their database services will not use a PaaS cloud service such as the provided by Amazon Web Services. Instead, they will adopt an IaaS cloud service such as the that will allow them to have complete control over all the underlying infrastructure and maintenance of their database services. Cloud customers will need to understand both the compliance and security implications for every cloud service(s) they decide to implement into their cloud solution related to their organizational mission, security policies, strategies, and data type. This defines the concept of “Security in the Cloud.” Cloud Computing shared security responsibility continues to become central for organizations in formulating their cloud security policies and strategy. Cloud customers should understand ensuring their Information Technology (IT) environment compliance and security continues to be their responsibility with cloud computing. A better understanding of cloud computing's shared security responsibility model can be achieved through effective collaboration between cloud customers and CSPs to minimize cyber threats and attacks against cloud computing applications and data services.
|
|
|