Cloud service providers can make many promises regarding their data center’s physical security, but it is vital that you are able to understand the logical, remote and application dimensions to cloud security in that provider’s cloud stack. Physical security is important as well, but the security of data can be compromised by many different types of threats.
Infrastructure as a Service (IaaS) is one of the most important cloud service categories today along with Software as a Service (SaaS). Both services require different approaches to cloud security and these approaches will dictate what the base cost of these services may be versus extra costs for additional services.
Cloud service providers describe the “cloud” in many different ways but before this confusion took place, IaaS simply meant “virtual colocation”, which is a technical way to describe the concept that activities, which take place in your data center, can be done virtually in the provider’s web console. Adding IP’s, building virtual machines and fully controlling three layers of high availability firewalls is necessary for a fully functional cloud service.
Traffic through all security devices is controlled by the customer, which means you, as the customer, retain full control. Furthermore, a customer is able to fully lock down the data center in your cloud. Firewall logs can be exported just like physical firewalls from your web console into an Excel document. You can also use an API to push the logs to a Security Information and Management (SIEM) product.
Intrusion Preventions Systems (IPS) and Intrusion Detection Systems (IDS) are another very important consideration, and these can be provided by an outside security firm against your virtual data center context within your cloud. These intrusion measures can be provided, especially if you are able to inform your security firm early on.
In contrast to IaaS, the customer has less control with SaaS based services because the cloud provider codes, hosts and secures applications that may be utilized over the web. This means that it is incumbent on the customer to research the security measures taken by the SaaS provider.
Usernames, passwords and Personally Identifiable Information (PII) data such as social security numbers must be secured through web applications designed by an SaaS company just as an IaaS provider will do. The biggest risks faced by an SaaS involve incorrectly configured databases, operating systems and middleware that a provider may deploy.
If you as a customer are seeking proof that an SaaS provider are as secure as possible, be sure to request a full list of compliance, regulatory and audit results to place your mind at ease. Some of these regulations include PCI, SOC 2, HIPPAA, SSAE16 as well as all of the ISO standards.
A cloud service agreement should include risk assessment services as well, which should focus on the customer more than the cloud provider. The provider should already have a full security breakdown available for your compliance and security department to review. Meetings with your cloud provider’s design team will enable you to gain a deeper understanding of how they actually secure their cloud, which can help to lower your risks.
Logging in to the cloud can be handled in different ways, and authentication is of paramount concern for the security of your cloud. The simplest arrangement will involve a single-factor authentication that is based on a password or credentials that you give to the cloud administrator, but more advanced authentication will involve a phone call with a verbal cue or passcode to ensure security.
The big test of whether your cloud security provider is up to the task is if they can encrypt your data while still allowing the customer to own the encryption keys. If they are able to accomplish this, you can mirror the in your physical data center.
Data loss prevention that takes place within your own organization should be duplicated through DLP services offered in an SaaS based service. Any security violations should be communicated to you immediately.