What do we mean by cloud security? In my opinion, there are various answers to this question, depending on your cloud role, the complexity of your cloud solution, and your requirements for security, privacy, availability and protection.
Cloud providers are responsible for the cost-effective operation and delivery of high quality cloud services that are fully secure and protected. Cloud service security includes:
- Resource security – keeping the facilities, hardware, software and networks secure and well-protected;
- Functional security – ensuring the service does only what is expected and advertised;
- Process security – providing service, operations and business management and customer interfaces that are well-specified, trustworthy and robust;
- Personal security – avoiding inappropriate exposure of personal and private information;
- Corporate security – isolating cloud customers from each other which is usually part of what is called multi-tenancy; and
- Various tools and safeguards that can help the cloud customer to meet their responsibilities for business security.
Clearly, the cloud provider has a significant and ongoing responsibility for delivering quality security and protection as an integral part of every cloud service. Being able to trust the provider’s security features is a critical success factor for cloud services.
The cloud customer, however, is ultimately responsible for the Information and Communications Technology (ICT) systems, and especially for all the corporate data. This includes controlling when, where, how and by whom corporate data is collected, manipulated, stored and/or transferred (both for cloud services and for legacy systems). Customer responsibilities include both the prevention of data loss or corruption and also the protection of the data from inappropriate access or misuse.
ISO/IEC DIS 17789 (Information Technology – Cloud Computing – Reference Architecture) states that security and privacy are “cross cutting aspects,” which means they impact all layers and all roles in a cloud computing ecosystem. ISO/IEC 17789 further states that securitycontrols are required to address risks associated with the services and the designs that are chosen by the provider. These controls typically cover a set of categories, such as:
- Identity and access management;
- Discovery, categorization, and protection of data and information assets;
- Information systems acquisition, development, and maintenance;
- Secure infrastructure against threats and vulnerabilities;
- Problem and information securityincident management;
- Security governance and compliance;
- Physical and personnel security;
- Security of networks and communications; and
- Isolation between tenants in a multi-tenantsituation.
Does defence-in-depth, or “cloud-in-depth” as it could be called, fit into the world of cloud security?
Defence-in-depth is a security strategy that has been popular for a number of years (it pre-dates cloud computing). It is considered to be a best practice for IT security. According to Wikipedia,
Defense in depth is an information assurance (IA) concept in which multiple layers of security controls (defense) are placed throughout an information technology (IT) system. Its intent is to provide redundancy in the event a security control fails or a vulnerability is exploited that can cover aspects of personnel, procedural, technical and physical for the duration of the system’s life cycle.
I would argue that the list of functions as stated in the Cloud Computing Reference Architecture pretty much demands multiple layers of security and hence a defence-in-depth approach.
There is a lot of ongoing research in the area of cloud computing security, with a large number of documents available. Here are a few references for cloud computing security that may be of interest:
- ISO/IEC CD 27017 (Information technology — Security techniques — Code of practice for information security controls for cloud computing services based on ISO/IEC 27002)
- ISO/IEC DIS 27018 (Information technology — Security techniques — Code of practice for PII protection in public cloud acting as PII processors)
- ISO/IEC 27036-4 (Information security for supplier relationships – Part 4: Guidelines for security of cloud services)
- ISO/IEC 27040 (Storage security)
- NIST Special Publication 800-53, Revision 4 (Security and Privacy Controls for Federal Information Systems and Organizations)
- NIST Special Publication 800-144 (Guidelines on Security and Privacy in Public Cloud Computing)
- NIST Special Publication 500-299, (Draft) NIST Cloud Computing Security Reference Architecture
- Security for Cloud Computing (Cloud Standards Customer Council, August 2012)
One of the most important areas to be considered in depth is the security of hybrid multi-cloud systems (as I described in my recent blog about the cloud computing end game). If you have multiple cloud applications residing in different clouds or you have a cloud service that is built from combinations of several providers, you need global security integration as well as for each individual component security.
As a simple example: a SaaS application from Provider 1 might use PaaS middleware from Provider 2 who subcontracts the underlying infrastructure to Provider 3. This leads to a need for security coordination across multiple vendors.
Cloud-in-depth may be essential for complex cloud configurations!