Cloud Security

Cloud computing security encompasses the practices, technologies, controls, and applications used to protect cloud computing environments. These security measures are designed to protect data, services, applications, and the related infrastructure in the cloud from both internal and external threats, while at the same time safeguarding users’ privacy and enabling and maintaining compliance with all applicable rules and regulations. While cloud computing security needs vary widely from business to business, the primary goal is the protection of data and the control of access to that data. As more and more businesses take advantage of cloud computing and enjoy the reduced cost of doing business, increased agility, and the ability to quickly scale, they must ensure that they consider security straight from the get-go and choose the right type and level of security to actively prevent data loss and leakage.

There are three main categories of cloud service models:

IaaS (Infrastructure-as-a-Service)

Infrastructure as a service (IaaS) is an instant computing infrastructure, provisioned and managed over the internet. IaaS resembles the data center and server environments that many IT departments are used to managing on their own physical sites. IaaS is a standardized, highly automated instant computing infrastructure. The cloud computing resources (storage, network, and operating systems) are owned by a cloud service provider, who also manages the infrastructure itself. IaaS follows an on-demand model where resources are scalable up and down with demand, allowing you to pay only for what you use.  It helps you avoid the expense and complexity of buying and managing your own physical servers and other datacenter infrastructure. Each resource is offered as a separate service component, and you only need to rent a particular one for as long as you need it.

Startups and small companies may prefer IaaS to avoid spending time and money on purchasing and creating hardware and software. Larger companies may prefer to retain complete control over their applications and infrastructure, but they want to purchase only what they actually consume or need. Companies experiencing rapid growth like the scalability of IaaS, and they can change out specific hardware and software easily as their needs evolve. Anytime you are unsure of a new application’s demands, IaaS offers plenty of flexibility and scalability.

With IaaS, the customer runs the operating system and has network traffic flowing within their environment that they also have to secure. In other words, while cloud computing security in IaaS is about data, it’s also about infrastructure.

Examples of IaaS include Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP).

PaaS (Platform-as-a-Service)

Platform as a service (PaaS) is a complete development and deployment environment in the cloud, with resources that enable you to deliver everything from simple cloud-based apps to sophisticated, cloud-enabled enterprise applications. You purchase the resources you need from a cloud service provider on a pay-as-you-go basis and access them over a secure Internet connection.

Like IaaS, PaaS includes infrastructure—servers, storage, and networking—but also middleware, development tools, business intelligence (BI) services, database management systems, and more. PaaS is designed to support the complete web application lifecycle: building, testing, deploying, managing, and updating.

PaaS environments are primarily useful for DevOps and support developers to construct and run web applications and services without requiring the related servers, databases, development tools, and other related infrastructure. PaaS environments are offered by many of the same providers as Iaas, but with PaaS, the cloud service providers provide the necessary infrastructure, while the developers provide the accompanying code.  In the case of PaaS and IaaS, service providers are essentially furnishing a framework for you to build something on their cloud. With PaaS, you have to secure whatever application you build to put on it, but you aren’t running the operating system.

In the case of PaaS and IaaS, since you’re operating a virtual network on the cloud, you’re susceptible to network based threats—attackers and adversaries will scan for vulnerabilities in the cloud infrastructure and try to find open ports to exploit.

Examples: AWS Elastic Beanstalk, Google App Engine

SaaS (Software-as-a-Service)

Software as a service (SaaS) allows users to connect to and use cloud-based apps over the Internet.  SaaS represents the most commonly utilized option for businesses in the cloud market, common examples are email, calendaring, and office tools.

Due to its web delivery model, SaaS eliminates the need to have IT staff download and install applications on each individual computer. With SaaS, vendors manage all potential technical issues, such as data, middleware, servers, and storage, resulting in streamlined maintenance and support for the business.

When it comes to SaaS, the customer is only responsible for data and user access, and the cloud service provider covers the rest. In other words, the enterprise is responsible for how they use the app, who can access stored data, what sort of sign-on requirements are implemented (such as multifactor), and what data goes into it. Data access control and exfiltration are the primary areas of focus here—while malware could ostensibly make it into a business’s cloud content management/file sharing service or come from a URL that is hosted on a file storage site, most of the issues customers are solving with SaaS are data loss prevention problems.

Examples: Office 365, Box, Gmail, Acronis, Carbonite, OneDrive, Google Drive

The Services We Can Provide:

  • Perform cloud audits to assess and prioritize security risks, evaluate current controls, identify gaps in your existing cloud security program and make recommendations based on your business priorities.
  • Design cloud monitoring and reporting strategies that provide clear visibility into user activity and data access.
  • Perform cloud compliance assessments to ensure that your cloud initiatives comply with regulatory frameworks as well as industry best practices.
  • Extend identity and access management (IAM) policies to your cloud initiatives.