IaaS Cloud Security: How much does user responsibility know

As companies continue to enter the cloud, it is important to define responsibility by choosing a cloud vendor and signing a contract with the manufacturer. Most cloud environments are characterized by shared security responsibilities and form a continuum. For SaaS environments, SaaS providers assume most of the responsibility. For an infrastructure that is a service (IaaS) or a platform that is a service (PaaS) environment, the vendor's responsibilities are smaller and the customer's is larger.

In the IaaS cloud environment (for simplicity, this article will combine IaaS and PAAs), vendors provide the core infrastructure. This means the underlying network, process, and storage services. The customer is responsible for granular network management, server management, and data storage management. Most of the major cloud security considerations are in the hands of customers, and customer responsibilities include:

• Control network access (open and close ports and protocols)

• Authorize or deny server and service layer access (customer is responsible for server and service configuration)

• Design, implement, maintain, and check access control within applications

• Implementation of recovery and other redundant solutions

• Continuous monitoring of access, security, and availability

Through the primary control of design, configuration, and operation, customers are responsible for ensuring that the IAAS environment is secure by ensuring that the vendor (through technology or policy control) cannot access the server or data. It is more appropriate for vendors to implement technical controls rather than rely on policies. It is important to understand the vendor's monitoring methods as an IaaS client of a vendor that restricts technology control and relies heavily on policies and procedures. Be sure that the vendor can and will monitor unauthorized attempts to access your resources. Remember: The goal is to limit your vendors ' data and service access while they can affect your service availability.

With the new development of data encryption, the vendor access sensitive information can be controlled through the unreadable data without the encryption key. The key consideration in this case is to maintain the displacement control of the encryption key. A large number of IaaS vendors will agree to the "No access" scenario, and if your vendor is pressuring key access, you should seriously reconsider your relationship. Implementing data encryption, remember that relying on database encryption increases the risk. Application can successfully query the data in the database server, it will defeat the encryption work. For this reason, it is best to implement encryption and decryption in the application tier investment.

When signing a contract with an IaaS manufacturer, your duties include:

• Select vendors with strong technology controls to prevent access or data and service outages

• Strengthen the contractual relationship in the right place, strengthen part of the largest demand control, minimize the control of the manufacturer

• Develop and implement technical controls, strengthen contractual relationships, and monitor potential service terminals and unauthorized access attempts

• Design and implement evaluation procedures to validate vendor operations on contract and technical boundaries

In short, your IAAS environment goal is to limit the risk of a vendor's security incident, increase your likelihood of discovering inadequate technology and policy control in your assessment, and minimize the likelihood of discovering a security incident when an event occurs.