How cloud security works?

Cloud computing operates in three main environments:

  1. Public cloud services are hosted by CSPs. These include software as a service (SaaS), platform as a service (PaaS) and infrastructure as a service (IaaS).
  2. Private clouds are hosted by or for a single organization.
  3. Hybrid clouds include a mix of public and private clouds.

As a result, cloud security mechanisms take two forms: those supplied by CSPs and those implemented by customers. It is important to note that handling of security is rarely the complete responsibility of the CSP or the customer. It is usually a joint effort using a shared responsibility model.

Although not standardized, the shared responsibility model is a framework that outlines which security tasks are the obligation of the CSP and which are the duty of the customer. Enterprises using cloud services must be clear which security responsibilities they hand off to their provider(s) and which they need to handle in-house to ensure they have no gaps in coverage.

Customers should always check with their CSPs to understand what the provider covers and what they need to do themselves to protect the organization.

Security controls supplied by CSPs vary by service model, be it SaaS, PaaS or IaaS. Customer responsibility commonly increases from SaaS to PaaS to IaaS.

In general, CSPs are always responsible for servers and storage. They secure and patch the infrastructure itself, as well as configure the physical data centers, networks and other hardware that power the infrastructure, including virtual machines (VMs) and disks. These are usually the sole responsibilities of CSPs in IaaS environments.

In a PaaS environment, CSPs assume more responsibility, including securing runtime, networking, operating systems (OSes), data and virtualization. In a SaaS environment, CSPs also provide application and middleware security.

The details of security responsibilities can vary by provider and customer. For example, CSPs with SaaS-based offerings may or may not offer customers visibility into the security tools they use. IaaS providers, on the other hand, usually offer built-in security mechanisms that enable customers to access and view CSP security tools, which may also provide customer-alerting functionality.

Customer security responsibilities

To supplement the CSP security controls listed above, customers are generally responsible for application, middleware, virtualization, data, OS, network and runtime security in IaaS clouds. In IaaS architectures, such as Amazon Virtual Private Cloud (VPC) or Microsoft Azure Virtual Network (VNet), for example, customers can supplement, replace or overlay built-in cybersecurity mechanisms with their own set of tools.

In PaaS environments, customers take on fewer security tasks, generally only application and middleware security. SaaS environments involve even less customer responsibility.

Data security and identity and access management (IAM) are always the responsibility of the customer, however, regardless of cloud delivery model. Encryption and compliance are also the responsibility of the customer.

Yet, because CSPs control and manage the infrastructure customer apps and data operate within, adopting additional controls to further mitigate risk can be challenging. IT security staff should get involved as early as possible when evaluating CSPs and cloud services. Security teams must evaluate the CSP’s default security tools to determine whether additional measures will need to be applied in-house.

Adding a company’s own security tools to cloud environments is typically done by installing one or more network-based virtual security appliances. Customer-added tool sets enable security administrators to get granular with specific security configurations and policy settings. Many enterprises also often find it cost-effective to implement the same tools in their public clouds as they have within their corporate local area networks (LANs). This prevents administrators from having to recreate security policies in the cloud using disparate security tools. Instead, a single security policy can be created once and then pushed out to identical security tools, regardless of whether they are on premises or in the cloud.