Selecting the Right IaaS Platform: 8 Tips to Help Ensure You’re Secure

With its flexibility and cost savings cloud computing is now here, and whether you know it or not, you’re most likely using it one way or another.  At least some of your data, whether personal or business, sensitive or public, is likely being stored, processed and consumed via this mystical all-encompassing cloud in some way.

There are three main types of cloud offerings today – IaaS, PaaS, SaaS – and each comes with a different expectation of security and privacy. As consumers, we need to understand the differences between cloud offerings and what to expect with regards to security and privacy. In today’s blog we’ll review the IaaS (Infrastructure as a Service) service model and ways to properly secure it.

The IaaS service model is the bedrock for all other service models in the cloud computing world. The PaaS (Platform as a Service) and SaaS (Software as a Service) are built on top of what’s already in place in the IaaS model. Its good to keep this in mind when you start reviewing these models in the future.

There are many IaaS providers these days, the largest of them being Amazon Web Services (AWS). What you get with an IaaS model is normally a virtualized environment that includes the storage, network connectivity, memory and CPU for the systems you’ll end up installing software on. This allows a customer to spin up operating systems on top of the IaaS layer to utilize for their business needs.

One very important thing to note is that when you subscribe to an IaaS, the cloud provider isn’t responsible for the security of the operating system you’re installing on top of their IaaS platform. The IaaS provider is only responsible for the security of the hardware, segmentation, logical access etc. but not the security of the software you install on top of it. So, if you install a vulnerable version of Windows and get hacked, it’s not the IaaS providers’ problem, it’s yours.

In a pure IaaS offering there’s an abstraction layer between the resources the IaaS allows a customer to use and what the client is actually using these resources for. In most cases this is right up to the hypervisor layer.  You can think of it this way: The lower down the stack a client goes the more the client is responsible for with regards to security. This is a key concept to understand when it comes to cloud security.

So before you consider an IaaS platform, here are a few questions to ask your IaaS vendor:

1. Where is your data located? Will it move out of the country during an emergency or backup? This is important since once the data moves out of the country the data and privacy laws change.
2. Who has access to the data at the vendor’s site? This goes both for physical and virtual access to your systems. And do these people take security awareness training to protect your data?
3. Does the vendor offer or allow data encryption? Many IaaS providers allow disk encryption which renders the data useless if it were physically stolen, or virtually copied to another instance.
4. Will this be a multi-tenant instance or private cloud? This is a huge topic when it comes to the type of data that’s being stored. Understand how the IaaS vendor is performing segmentation and if you’ll be able to take the risk of hosting the particular data in a multi-tenant environment. There can be compliance concerns wrapped around this, so you should consult with an auditor/assessor to verify that this meets the standard you might be held to.
5. Verify that the IaaS vendor has all the proper documentation, PCI compliance, SSAE 16 Type II, etc. This will depend on your compliance requirements, but ask for all certificates they have on their environment, both public and private, to allow you to better understand where they stand.
6. Review their business continuity strategy and what their process and procedures are in case of a disaster.
7. Verify that the vendor has undergone penetration tested and ask for the results of the test. This normally isn’t given out, but if they’re following compliance they’ll probably have been pen-tested and you should dig into this a bit more.
8. How does an IaaS vendor securely delete your instances after removal? Can you get a certificate of destruction? How is this handled?

These are just a few questions to ask when dealing with an IaaS vendor. Remember that with this type of service model the vendor handles security up to the hypervisor and nothing more. So it’s your job to determine how security is being conducted below this layer. In our next article we’ll discuss the PaaS service model and how we can add security towards this layer, by building off the security in our IaaS model.