With its flexibility and cost savings cloud computing is now here, and whether you know it or not, you’re most likely using it one way or another. At least some of your data, whether personal or business, sensitive or public, is likely being stored, processed and consumed via this mystical all-encompassing cloud in some way.
There are three main types of cloud offerings today – IaaS, PaaS, SaaS – and each comes with a different expectation of security and privacy. As consumers, we need to understand the differences between cloud offerings and what to expect with regards to security and privacy. In today’s blog we’ll review the IaaS (Infrastructure as a Service) service model and ways to properly secure it.
The IaaS service model is the bedrock for all other service models in the cloud computing world. The PaaS (Platform as a Service) and SaaS (Software as a Service) are built on top of what’s already in place in the IaaS model. Its good to keep this in mind when you start reviewing these models in the future.
There are many IaaS providers these days, the largest of them being Amazon Web Services (AWS). What you get with an IaaS model is normally a virtualized environment that includes the storage, network connectivity, memory and CPU for the systems you’ll end up installing software on. This allows a customer to spin up operating systems on top of the IaaS layer to utilize for their business needs.
One very important thing to note is that when you subscribe to an IaaS, the cloud provider isn’t responsible for the security of the operating system you’re installing on top of their IaaS platform. The IaaS provider is only responsible for the security of the hardware, segmentation, logical access etc. but not the security of the software you install on top of it. So, if you install a vulnerable version of Windows and get hacked, it’s not the IaaS providers’ problem, it’s yours.
In a pure IaaS offering there’s an abstraction layer between the resources the IaaS allows a customer to use and what the client is actually using these resources for. In most cases this is right up to the hypervisor layer. You can think of it this way: The lower down the stack a client goes the more the client is responsible for with regards to security. This is a key concept to understand when it comes to cloud security.
So before you consider an IaaS platform, here are a few questions to ask your IaaS vendor:
These are just a few questions to ask when dealing with an IaaS vendor. Remember that with this type of service model the vendor handles security up to the hypervisor and nothing more. So it’s your job to determine how security is being conducted below this layer. In our next article we’ll discuss the PaaS service model and how we can add security towards this layer, by building off the security in our IaaS model.
Receive notifications of new posts by email.