Cloud computing is to security what your company is to its mission. If your company isn’t accomplishing its mission, it may be time to reevaluate your reasons for being in business. Likewise, if your cloud service isn’t as secure as it needs to be, it may be time to explore better options. The good news is, you’ve got a lot of options.
The “skyscape” of cloud computing is varied and for good reason. Not all cloud services are created equal, as each has its own purpose, but all are accessible anywhere, any time, as long as there is an internet connection. Here are the three types of service models:
- If you are using a Public Cloud service, both the service and infrastructure are hosted by a third-party provider via a public network.
- If maintaining a private network is important for your data storage, you may use a Private Cloud service, using pooled services and infrastructures that are stored on private network, only accessible for you as the client. Private Clouds operate in a business’ data center.
- If your company stores sensitive applications or data, but may also need to make non-sensitive operations available to a wider network, a Hybrid Cloud model that marries both the Public and Private Clouds, may be best for your business.
Within these service models, there are three ways to distinguish the control that you as a client have of the cloud computing service. Ten years ago, we saw the explanatory model of the cloud pyramid emerge and this continues to be an economical way to explain the different levels of service within the three models described above. The three levels of the service pyramid are:
- Infrastructure as-a-Service (IaaS) - which is at the base of the pyramid. An IaaS offers a great many assets to a client, but also requires that the client be fully vested in its use and development. Amazon Web Services is an example of this.
- Platform as-a-Service (PaaS) - Next ascending the pyramid is a platform in which can be customized to meet individual needs. In PaaS, the service provider manages networking, storage, servers, virtualization, OS, middleware and runtime, but you as the client manage the data and applications. Microsoft Azure is an example.
- Software as-a-Service (SaaS) - Finally at the top of the pyramid is a software delivery model where software applications are hosted and made available to you as a client over the internet. Applications are hosted in the cloud and are available from any location using a computer or mobile device. Google Apps and Office 365 are some examples.
No matter which service model and level your company is using, there are a variety of factors that will determine whether your cloud security is optimal. With all of the sensitive, proprietary information developed and exchanged in the cloud, along with an ever-evolving list of cybersecurity threats, here are some considerations to help your company maintain a secure cloud environment. Several are drawn from the Cloud Security Alliance (CSA)’s recent Treacherous 12 Top Threats to Cloud Computing Plus: Industry Insights report:
- Know what is shared, by whom, and how long it is intended to be stored on the cloud.
- Is the credentialing or key management process sufficient at every step or is it likely to enable an unauthorized user access to sensitive data?
- Is data delivered in your cloud to a location that may leave your company exposed to noncompliance penalties?
- Ensure application programming interfaces (APIs) are designed to protect against accidental and malicious attempts to circumvent policy.
- Has our organization done its due diligence in vetting cloud service providers?
Based on your company’s direction, team needs, and existing resources, cloud computing should be an asset to your business, rather than another safety hazard. If you are in the Greater Boston area, consider registering for our free IT Symposium of Awesomeness to learn more about cloud computing security and many other current issues your company may be facing.