As organizations continue to the move to the cloud, one important consideration for selecting a cloud vendor and contracting with the vendor is to clearly stipulate responsibilities. Most cloud environments are characterized by shared responsibilities for security, along a continuum. For SaaS environments, the SaaS provider takes on the majority of the responsibility. For Integration as a Service (IaaS) or Platform as a Service (PaaS) environments, the vendor's responsibility is smaller while the client's is much larger.
In an IaaS cloud environment (for brevity, this article will combine IaaS and PaaS into one group), the vendor provides core infrastructure. In general, this means basic networking, processing and storage services. The customer is responsible for granular network administration, server administration and data storage administration. Control for the majority of security considerations rests primarily in the customer's hands. Customer responsibilities include:
- Controlling network access (opening and closing of ports and protocols);
- Granting or denial of access at the server and service layer (the customer is responsible for the server and service configuration);
- Designing, implementing, maintaining and inspecting access control within the application;
- Implementing failover and other redundancy solutions; and
- Ongoing monitoring for access, security and availability.
With primary control of design, configuration and operations, the customer's responsibility in securing an IaaS environment is to ensure the vendor (through technical or policy controls) does not have access to servers or data. Vendors who implement technical controls rather than rely on policy are preferable. As an IaaS customer of a vendor with limited technical control and a greater dependency on policy and procedure, it's very important to understand the vendor's monitoring approach. Be satisfied that the vendor can and will detect an unauthorized attempt to access your resources. Remember: The goal is to limit your vendor's data and service access as well as their ability to influence your service's availability.
With recent advances in data encryption, vendor access to sensitive information has a viable control by rendering data unreadable without encryption keys. A key consideration in this situation, of course, is maintaining sole control of encryption keys. Plenty of IaaS vendors will agree to "no access" scenarios; if your vendor presses you for key access, you should seriously reconsider your relationship with the vendor. When implementing data encryption, keep in mind that relying on the database for encryption increases your risk. Any application that can successfully query the database server for data (for instance, a compromised Web application) will defeat your encryption efforts. For this reason, it's a better investment to implement encryption and decryption at the application layer.
When contracting with an IaaS vendor, your responsibilities therefore include the following:
- Selecting a vendor with strong technical controls which prevent access to or interruption of data and services;
- Putting in place strong contractual obligations that reinforce the need for maximal control on your part and minimal control on the part of your vendor;
- Developing and implementing technical controls that reinforce the contractual obligations and detect potential service interruptions and unauthorized access attempts; and
- Designing and implementing assessment procedures that validate the vendor operates within contractual and technical boundaries as agreed.
In short, your goal in an IaaS environment is to limit the risk of a vendor-initiated security event, to increase the likelihood that you will discover insufficient technical and policy controls in assessments and to maximize the potential of discovering security events while they are happening.
Securing an IaaS environment can be a challenge, but the high level of control the customer enjoys enables you to design and implement