researchHQ’s Key Takeaways:
- An effective cloud security strategy demands that organisations adopt a cloud-native model rather than simply migrating legacy applications to a cloud provider.
- A key difference between traditional computing and the cloud is the inclusion of network-enabled and remotely accessible management plane components in the cloud’s metastructure.
- Cloud security is developer-driven and varies between providers at the fundamental level.
- Under the shared responsibility model, cloud security responsibilities are distributed between organisations depending on the particular provider, product and model.
- Common cloud security concerns include legal issues, application security, data security and encryption and incident response.
Cloud is also becoming the back end for all forms of computing, including the ubiquitous Internet of Things and is the foundation for the information security industry. New ways of organizing compute, such as containerization and DevOps are inseparable from cloud and accelerating the digital revolution.
So what is cloud security? How is security for cloud computing different from on-premise security? In this blog I’ll attempt to answer those two questions.
(To learn more about best practices for securing a cloud environment read the CSA Security Guidance for Cloud Computing.)
What makes cloud computing unique from other forms of computing?
There are many different ways of viewing cloud computing: It’s a technology, a collection of technologies, an operational model, and a business model, just to name a few. Essentially cloud computing is a new operational model that combines the benefits of abstraction (virtualization) and automation (orchestration) for new ways of delivering and consuming technology. Cloud separates application and information resources from the underlying infrastructure and the mechanisms used to deliver them. Cloud describes the use of collection of services, applications, information and infrastructure comprised of pools of compute, network, information, and storage resources. Cloud provides an on-demand model of allocation and consumption.
Essential characteristics of cloud computing, service models and deployment models are all depicted in the following graph.
What are the differences between on-premise and cloud security?
There are security benefits to using cloud since cloud providers have significant economic incentives to protect customers. However, these benefits only appear if you understand and adopt cloud-native models and adjust your architectures and controls to align with the features and capabilities of cloud platforms. In fact, taking an existing application or asset and simply moving it to a cloud provider without any changes will often reduce agility, resiliency, and even security, all while increasing costs.
Cloud is primarily developer-driven.
Compared to on-premise security, cloud is primarily developer-driven. Every provider is fundamentally different at the lowest possible levels and old patterns are now new antipatterns. Often you will have things that look the same in the cloud but they are most definitely not the same. (For example: is a cloud route table the same as the one on your routers? The answer is no.)
The key difference between cloud and traditional computing is the metastructure.
At a high level, both cloud and traditional computing adhere to the following logical model that helps identify different layers based on functionality: infrastructure, metastructure, infostructure and applistructure. However cloud metastructure includes the management plane components, which are network-enabled and remotely accessible.
In the cloud, you tend to double up on each layer. Infrastructure, for example, includes both the infrastructure used to create the cloud as well as the virtual infrastructure used and managed by the cloud user. In private cloud, the same organization might need to manage both; in public cloud the provider manages the physical infrastructure while the consumer manages their portion of the virtual infrastructure. As we discuss further in the CSA Security Guidance v4 this has profound implications on who is responsible for, and manages, security. These layers tend to map to different teams, disciplines, and technologies commonly found in IT organizations.
Cloud differs extensively from traditional computing within each layer of the meta structure.While the most obvious and immediate security management differences are in metastructure, cloud differs extensively from traditional computing within each layer. The scale of the differences will depend not only on the cloud platform, but on how exactly the cloud user utilizes the platform.