Cloud-in-depth for data security and protection

What do we mean by cloud security?  In my opinion, there are various answers to this question, depending on your cloud role, the complexity of your cloud solution, and your requirements for security, privacy, availability and protection.

Cloud providers are responsible for the cost-effective operation and delivery of high quality cloud services that are fully secure and protected.  Cloud service security includes:

  • Resource security – keeping the facilities, hardware, software and networks secure and well-protected;
  • Functional security – ensuring the service does only what is expected and advertised;
  • Process security – providing service, operations and business management and customer interfaces that are well-specified, trustworthy and robust;
  • Personal security – avoiding inappropriate exposure of personal and private information;
  • Corporate security – isolating cloud customers from each other which is usually part of what is called multi-tenancy; and
  • Various tools and safeguards that can help the cloud customer to meet their responsibilities for business security.

Clearly, the cloud provider has a significant and ongoing responsibility for delivering quality security and protection as an integral part of every cloud service.  Being able to trust the provider’s security features is a critical success factor for cloud services.

The cloud customer, however, is ultimately responsible for the Information and Communications Technology (ICT) systems, and especially for all the corporate data.  This includes controlling when, where, how and by whom corporate data is collected, manipulated, stored and/or transferred (both for cloud services and for legacy systems).  Customer responsibilities include both the prevention of data loss or corruption and also the protection of the data from inappropriate access or misuse.

ISO/IEC DIS 17789 (Information Technology – Cloud Computing – Reference Architecture) states that security and privacy are “cross cutting aspects,” which means they impact all layers and all roles in a cloud computing ecosystem. ISO/IEC 17789 further states that securitycontrols are required to address risks associated with the services and the designs that are chosen by the provider. These controls typically cover a set of categories, such as:

  • Identity and access management;
  • Discovery, categorization, and protection of data and information assets;
  • Information systems acquisition, development, and maintenance;
  • Secure infrastructure against threats and vulnerabilities;
  • Problem and information securityincident management;
  • Security governance and compliance;
  • Physical and personnel security;
  • Security of networks and communications; and
  • Isolation between tenants in a multi-tenantsituation.

Does defence-in-depth, or “cloud-in-depth” as it could be called, fit into the world of cloud security?

Defence-in-depth is a security strategy that has been popular for a number of years (it pre-dates cloud computing).  It is considered to be a best practice for IT security.  According to Wikipedia,

Defense in depth is an information assurance (IA) concept in which multiple layers of security controls (defense) are placed throughout an information technology (IT) system. Its intent is to provide redundancy in the event a security control fails or a vulnerability is exploited that can cover aspects of personnel, procedural, technical and physical for the duration of the system’s life cycle.

I would argue that the list of functions as stated in the Cloud Computing Reference Architecture pretty much demands multiple layers of security and hence a defence-in-depth approach.

There is a lot of ongoing research in the area of cloud computing security, with a large number of documents available.  Here are a few references for cloud computing security that may be of interest:

One of the most important areas to be considered in depth is the security of hybrid multi-cloud systems (as I described in my recent blog about the cloud computing end game).  If you have multiple cloud applications residing in different clouds or you have a cloud service that is built from combinations of several providers, you need global security integration as well as for each individual component security.

As a simple example: a SaaS application from Provider 1 might use PaaS middleware from Provider 2 who subcontracts the underlying infrastructure to Provider 3.  This leads to a need for security coordination across multiple vendors.

Cloud-in-depth may be essential for complex cloud configurations!

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada
Don Sheppard
Don Sheppard
I'm a IT management consultant. I began my career in railways and banks after which I took up the consulting challenge! I try to keep in touch with a lot of different I&IT topics but I'm usually working in areas that involve service management and procurement. I'm into developing ISO standards, current in the area of cloud computing (ISO JTC1/SC38). I'm also starting to get more interested in networking history, so I guess I'm starting to look backwards as well as forwards! My homepage is but I am found more here.

Featured Download

IT World Canada in your inbox

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Latest Blogs

Senior Contributor Spotlight