Cloud data security should be shared by customers and suppliers

As the computing stack moves down, customers control the number of public cloud computing services, increasing, software as a service (SaaS) is rarely even zero, infrastructure as a service (IaaS) accounted for the vast majority. The same goes for cloud security: Software as a service and the responsibility to secure the platform and infrastructure are clearly on the providers.

But as the stack gets deeper, things get worse. When it comes to IaaS, there is no clear line between the provider and the user's security responsibilities. The responsibility for defining boundaries falls on the client.

"From a governance perspective, from a control perspective, from a management perspective, it is important to let cloud tenants or customers understand that this is a common responsibility," said Jim Reavis, executive director of the Cloud Security Alliance, who promotes best practices and enhances cloud security training. ”

Identify security gaps understand safety rules

To underscore the common security responsibility, the fact that due to the concerns of IaaS, such as the June 2012 Amazon outage, different organizations have suffered different consequences. Reavis: "When data goes offline, some organizations almost fail, while other organizations do not have any downtime." This shows that the customer is keeping the data in their control and at the same time controlling their fate. ”

Antonio Piraino, a provider of business management software at Virginia State's Reston Sciencelogicit, said that to implement proper controls, cloud tenants must understand where there are security vulnerabilities, "You must know what you are buying." Some people are more concerned about safety than others. ”

"As with most things in the cloud, security is different from suppliers," says Thomas Trappler, a consultant and lecturer at Cloud Computing risk mitigation in Los Angeles, Calif., "For example, Amazon Web Services (AWS) offers" a wide variety of options, "he said." It's not just any AWS service. So even within the scope of AWS, the customer is responsible for different content, you pay to Amazon to buy things, the responsibility will be different. ”

Eventually, customers get what they want, and Piraino says, "If you pay for cloud services, you have to pay extra for extra security and additional uptime and disaster recovery." ”

The Division of security responsibility is further confused by the different parts of the evaluation stack (procured by the customer from the IaaS provider). Piraino said: "We're seeing a tighter link between IaaS and PAAs, fundamentally, an original computing infrastructure,"-less than the operating system (OS), "he explains," Initially, customers are responsible for configuring (virtual machines), operating systems, installing firewalls. But in addition to the original virtual machine, you can buy IaaS. May be shipped with an operating system or a database with some applications. The more you buy, the greater the responsibility of the IaaS provider. ”

Look at AWS again. For example, "when it comes to specific problems with malicious intent to deploy to AWS, the usual rule of thumb is that the higher the stack, the lower the ability of AWS responsible for workload or data security," he explains, "very simply, at the facility and physical infrastructure level, Using AWS's ability and interest to provide physical security is the best practice because of its large project but low cost. ”

Piraino added: "At the network layer and the virtualization layer, it's not that simple." AWS is responsible for data transmission in the AWS Datacenter-between the region and Amazon Resilient Cloud Computing (EC2) or resilient block Storage (EBS) technology.

"Similarly, AWS's Toolset Xen System Management Program is responsible for its infrastructure as a service-making the indispensable part of a cloud product transferable and the customer has no say in order to realize the true sense of the AWS," Piraino said.

Develop the right public cloud security mentality

When the organization moved the application to the public cloud, the pattern changed, Trappler said. The way you think must be different. This seems obvious, but it's important. People are saying, ' We're from what we're used to--technology management solutions--to the management solutions of cloud contracts that someone has done for us. How do we know what they're doing is right?

The answer is: "It's always just right to confirm and perform the obligations (providers) in accordance with the contract, and you can see what they should be focusing on," Trappler said. To this end, understand which parts of the provider's infrastructure are registered and/or audited. "It may not be the entire infrastructure," he said. There are usually multiple data centers and points in the middle. ”

"The contract is a consensus on the line between the provider's responsibility and the customer's responsibility," he said. "You need a contract to establish terms of relationship and agree on who to do what." Then have the customer side of the vendor management to maintain this relationship. ”