A NEW SECURITY MODEL FOR
THE CLOUD ERA
© Copyright InfoWorld Media Group. All rights reserved.
DEEP DIVE SERIES
Staying secure in the cloud
Cloud computing depends on sharing resources that were never shared before, demanding a new set of security best practices
BY ROGER GRIMES
The good news about cloud computing is you’re probably saving a lot of money on IT overhead and getting more out of the services you’re paying for. The bad news is you’re giving up a lot of control.
This lack of control presents the biggest challenges. Cloud computing is here to stay. But it brings with it all of the traditional computer security threats as well as a host of new ones. The cloud is making security experts’ jobs harder than ever before, forcing them to step up with innovative responses. This Deep Dive will detail the unique security challenges cloud computing presents and the best practices you should implement to meet them.
combine internal private cloud services with external public cloud services. It may also refer to service offerings used exclusively by an invited group of private customers (also called a “community cloud”).
Because the public cloud offers both the least control and the least understood risks, this
Deep Dive will focus primarily on securing the public cloud.
Cloud computing basics
No matter what services your organization is deploying in the cloud – infrastructure, software, or platform – how you secure them depends a great deal on who’s providing them. There are essentially three kinds of cloud services:
• The public cloud. As the name implies, public clouds are offered to the general public. They’re accessible via an Internet connection and shared among multiple, often thousands, of customers. Some of the largest public cloud providers include
Amazon Web Services, Microsoft Windows
Azure, and Rackspace Cloud.
• The private cloud. Private clouds are typically created and hosted by a single organization, usually behind the corporate firewall, which provides services on request to employees. Private clouds can also be hosted by third parties, but they remain dedicated to a single customer. They can be more costly than public clouds but offer greater control over your data and better fault tolerance.
• The hybrid cloud. This term typically applies to organizations whose IT operations
How public cloud computing is different for traditional IT
In a traditional IT scheme, all your applications and data are likely stored on servers and data you control and share with no one else.
You know where these machines and data are located. You know exactly how well they are secured, how often they’re backed up, where those backups are located when you need them, and what processes will kick in if those machines fail or are compromised. If you’re doing your job correctly you should have a good idea of who’s accessing your network, what machines they are using to do it, and where these users are physically located. You probably use a centralized directory service to manage how employees and customers are authorized to access different parts of the network, which you can use to deprovision them at any time. Finally, when you’re decommissioning servers or storage, you can make certain they are wiped clean of sensitive data before they’re sent to the boneyard.
In the public cloud, many of those things are no longer true. Your IT operations are accessible via the Internet. The machines and data you’re using could be located anywhere on the planet as part
DEEP DIVE SERIES
Deep Dive of a massively scalable user-configurable pool of computing resources. You are likely sharing many of those computing resources with hundreds if not thousands of users who are not in your organization. You may also be sharing a common authentication scheme with many of those other organizations. Disaster recovery and fault tolerance