In some ways, the cloud has made security management easier, as many cloud providers have taken the responsibilities traditionally associated with local server management out of your hands. But in other ways, the security management conversation has become more confusing for decision makers, as “cloud” is a very broadly defined term and could speak to a variety of different technology ecosystems with their own security considerations. To top it off, many of the people who must ultimately make the decision about what kind of cloud solution is being utilized by their business don’t necessarily understand the security management ramifications of that decision. For a local infrastructure, malware considerations were baked into the experience of owning your own equipment. The assumption had to be that you were responsible for the protection of your system and avoiding malware, which is perhaps clarifying from a responsibility standpoint but difficult from a management standpoint. So, by extension, a shift to the cloud is particularly attractive to those who are looking to simplify their management experience and reduce their risk. But once you are utilizing the cloud, do you really know where those security lines are drawn? I think this requires us to take a step back and think of the nature of what kinds of services these third-party cloud providers are delivering to your business, so we need to understand the difference between cloud solutions.
Where do you stand in the cloud now?
The first thing to consider is the following: are you fully in the cloud now, or are you in the hybrid model? In the hybrid model, computing occurs both locally and in various clouds, so you aren’t necessarily completely hosted. The traditional security concerns with a local server infrastructure still applies to the local technology assets. Hybrid cloud is still very common. Many organizations find themselves with core technology functions that simply do not play nicely in the cloud. One good example might be graphic design or processing, where hosted cloud servers may have bandwidth or processing challenges that aren’t felt with locally hosted technology. Another example would be a local accounting technology asset. It’s very common to see organizations keeping their QuickBooks installed on one local PC. There’s a good chance that if you are reading this, you probably have something operating locally that you need to protect. Don't forget this when coming up with a cloud security strategy. Now that you have identified what assets are still located under our complete control and what is hosted elsewhere in the cloud, you must dig deeper into your cloud solutions to really understand what your vendors are providing. All too often, those who utilize hosted solutions make assumptions about what they are getting, which leaves them with more risk than they expect. So, take the time to talk about a few different cloud models and how to think about a threat such as malware in each.
The SaaS Model
One very common cloud model is Software as a Service, or SaaS. A good example of SaaS that everyone is familiar with would be Netflix. Think about how Netflix works. You pay a monthly fee for the service, and you connect to their cloud of movies and TV shows. Maybe you use a small app on your phone or tablet or TV, but the processing, storage, infrastructure, and platform all exist in their own environment. Naturally, your security responsibilities in a SaaS environment are limited entirely to the user account and the device connecting to the service. As such, when talking about malware, think about areas where an end user device can get infected. Also, if your SaaS solution allows for local download of data to your device, we are in some sense back in the hybrid model because data now exists in our local environment. SaaS is the mostly hands-off security model, as you might expect, but not entirely so.
The PaaS Model
The next level is Platform as a Service, or PaaS. (You can see where this is going.) Platform as a Service gives more control to the user buying into the cloud by giving responsibilities for the applications and data sitting on these platforms. One example of PaaS would be Microsoft Azure, where the environment is built for you and you load in the functionality after the fact. Think about how you might go to a big box retailer and buy a PC off-the-shelf. The machine is pretty much set up and waiting for you, but you have to load the applications on it, and you are responsible for working within the device. That’s kind of how PaaS works. The key concern is data. If you accidentally delete a file or a file is infected with malware, that is the responsibility of the organization utilizing that data and not the cloud service provider. This changes the approach considerably. While in a SaaS model, you don’t control or protect the data at rest at the cloud host; you can’t take that approach in PaaS. Proper data and application management, including backup/failover, is critical in a PaaS environment (along with the considerations already discussed for local assets). Your security risks and responsibilities have ticked up.
The IaaS Model
Finally, we have the Infrastructure as a Service model, or IaaS. IaaS goes even further than PaaS by giving the user control over server configuration and organization, including things like the operating system (such as Windows Server). Essentially, by going with an IaaS model over an on-premise model, you are really outsourcing the hardware and data center hosting side of server management. So, you have the same considerations as with local/SaaS/PaaS, but with a few more layers of responsibility. Since you now control the operating system, patches and updates, especially those for security, become critical. You don’t have to worry about the RAID array failing or the power supply on the server, but you are responsible for just about everything else. In many ways, securing these environments takes on almost the same considerations that you would have if you were responsible for a local environment, at least as it pertains to malware. You need to make sure that you are performing proper vulnerability testing and management as well as installing core security tools to protect and monitor these infrastructures.
Parting thoughts on cloud security
As you can probably tell, security in the cloud, especially as it pertains to the malware threat, is very nuanced. Chances are that you will have a mix of these solutions in your organization, so the most important thing to do before feeling comfortable with a cloud security strategy is to really understand where your threats are based on the environment you have. Build your security strategy around the different kinds of solutions you are using in order to maximize effectiveness and minimize investment. Furthermore, during the decision-making process of picking a cloud environment, you will want to understand the security ramifications of those decisions you are prepared to manage security into the future once you fully adopt. Remember, focus first on what you need to accomplish with your technology, then pick the products and services that fit your needs. Finally, understand (along with a technology professional) the security ramifications of viable hosting options.
About the Author
: Ben Schmerler is a Director of Strategic Operations at DP Solutions, an award-winning managed service provider (MSP) headquartered in Columbia, MD. Ben works with his clients to develop consistent strategies not only for technical security, but also policy/compliance management, system design, integration planning, and other business level technology concerns. You can follow DP Solutions updates on LinkedIn or their website: www.dpsolutions.com. Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.