Service and Deployment Models, Challenges and Security Principles
Most businesses think of cloud services as being either less secure than on-site services because they expose sensitive data to a wider range of possible attacks or breaches, or more secure because “everything” is taken care of by the cloud provider. The fact, however, is that cloud computing comes with security challenges that are different from but not necessarily more or less serious than what a business would face in an on-premises environment. Whatever security issues there are in the cloud model are due more to users’ inability to adapt quickly to the new threat environment and address security needs specific to the cloud than to any inherent weaknesses and security loopholes in the model itself. In most cases, the learning curve that organizations need to go through before attaining a secure state on the cloud is a bigger challenge than developing technology to address security concerns.
To understand how an organization should approach cybersecurity in the cloud, one must first understand the main service and deployment models associated with cloud computing. The National Institute of Standards and Technology (NIST) defines cloud computing as “a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction”. A simpler definition by PCMag says “cloud computing means storing and accessing data and programs over the Internet instead of your computer’s hard drive. The cloud is just a metaphor for the Internet”.
The cloud model, as defined by NIST, includes three main service models and 4 deployment models.
Cloud Service Models
The main service models are – Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS).
Infrastructure as a Service (Iaas)
In the IaaS model, resources are provided to the consumer to “deploy and run arbitrary software” such as operating systems and applications. Compared to the other two service models, IaaS gives greater control to the user over computing resources which may include operating systems, storage, and networking components. Examples include content delivery networks (CDNs), services management, platform hosting and backup and recovery services (think enterprise cloud – Amazon AWS, Microsoft Azure, Google Cloud Platform).
Platform as a Service (PaaS)
In the PaaS model, resources are provided to the consumer to create and deploy applications in the cloud using programming languages, libraries, and tools supported by the provider. The consumer controls the deployed applications and, in some cases, configuration settings for the hosting environment. Examples include databases, application deployment, development, testing and integration.
Software as a Service (SaaS)
SaaS is the most widely used cloud service model and gives the consumer the lowest degree of control over computing resources. A SaaS consumer uses the provider’s applications running on the cloud and accessed either via a web browser or a program interface. Examples include ERP and CRM services, document management, content management, billing and sales services and social networks (think LastPass, DocuSign, WebEx, Salesforce, G-Suite, Office365, Slack, Skype).
Cloud Deployment Models
In addition to the three service models, NIST identifies four main deployment models for cloud services based on how they are accessed, controlled and deployed. These are:
Where the cloud infrastructure is used by a single organization and may exist on or off-premises
Where the cloud infrastructure can be used by the general public and exists on the premises of the cloud provider
Where the cloud infrastructure is used by a specific community of consumers who have shared concerns, and may exist on or off-premises
Where the cloud infrastructure combines two or more deployment models (private, community, or public) that remain separate, but are connected through “standardized technology that enables data and application portability
The complexity and variability of the cloud model, with its multiple service and deployment possibilities, makes it hard to apply a fixed pattern or set of rules to cloud security in general. Nevertheless, there are a few fundamental concerns and best practices that organizations must keep in mind when developing a security strategy for their cloud-hosted services.
In its Cloud Computing Standards Roadmap, NIST identifies the main security challenges that cloud providers and users may have to deal with. These include:
- Threats to the confidentiality and integrity of data in transit.
- Attacks that exploit the cloud’s shared resources, homogeneity and ease-of-use to quickly build up the scale of damage.
- Unauthorized access to software, resources and data.
- Network-based attacks that take advantage of security loopholes in software originally built for on-premise computing environments that is being on the cloud without any upgrades or modifications
- Limitations on data encryption in a multi-tenant system
- Vendor lock-in or inability to easily migrate to other cloud vendors when cloud providers use non-standard APIs or storage formats
- Inconsistencies in global security standards that enable attackers to target services that involve multiple vendors, supply-chain partners, and users located in different countries
- Supply-chain partners not following the same security standards as the primary cloud provider
- Man-in-the-Middle attacks on data in transit
Security Principles and Mitigation Strategies
While a number of broad security principles are equally relevant to both traditional (on-premises) and cloud computing services, there are some aspects of security that become especially significant in the context of the cloud. It’s worthwhile to become familiar with some of these before diving deep into the specifics of cloud security. In the introductory chapter of his book ‘Practical Cloud Security: A Guide for Secure Design and Deployment’, Chris Dotson includes the following security concepts relevant to the cloud.
- Least Privilege – According to the principle of least privilege, application users should be able to access no more information than they need to do their specific jobs. The term ‘least privilege’ is often used in conjunction with the ‘deny by default’ principle which means that access to all cloud services or applications should be set to ‘deny’ to begin with, and users must go through a formal request and approval process before being granted access to any services or data.
- Defense in depth – ‘Defense in Depth’ refers to a layered security approach wherein it is assumed that any and every security control can fail at some point, and attacks that get through one layer can be blocked at the layer behind it, or at ‘deeper’ layers.
- Threat Actors and Trust Boundaries – Threat actors are entities or individuals most likely to cause harm to an organization. It’s important for both cloud providers and consumers to keep possible threat actors in mind when designing a security strategy. Dotson lists four kinds of threats actors in his book – organized crime or independent criminals with monetary motives; hacktivists interested in disrupting businesses; internal actors with malicious intent; and state-backed actors interested in stealing secrets or disrupting services. A Trust Boundary is the line that separates insiders who can be trusted and outsiders who can be potential threats. Anyone within the trust boundary can be trusted with private data and services; everyone outside it should ideally go through a verification process before being given access
- Delivery Models – Dotson mentions the service models listed above (IaaS, PaaS and SaaS), but stresses that the line between IaaS and PaaS is getting blurrier with time and that it’s more important to understand what the service provides than to fit it into a neat category.
- Risk Management – Organizations operating in a cloud environment need to know what the probable risk scenarios for them are, how severe their impact can be, and what they can do to avert or mitigate those risks. Dealing with known risks would entail one of four things: (1) avoiding the risk, which would mean not getting into a situation that may, at some point, mean dealing with a security incident, which also means foregoing all the benefits that the given business initiative could provide; (2) mitigating the risk, which means taking steps to lower the likelihood of a security incident; (3) transferring the risk, which means paying a third-party to take care of risk management – a frequently used option in cloud computing; and (4) accepting the risk, which means proceeding with an activity as normal while being aware of the risks associated with it and after informing all stakeholders of their existence and likelihood.
- Shared Responsibility Model – One of the most important concepts an organization should understand before moving to the cloud is the Shared Responsibility Model, which assigns different security roles to the cloud provider and the cloud consumer. The way responsibilities are divided between the provider and the consumer varies across service and deployment models. It is important for both the cloud service provider and the consumer to have a clear understanding of which aspects of security they are each responsible for.
- In all three service models, physical infrastructure security is taken care of by the cloud provider.
- In cases where the cloud provider offers virtualized environments, the provider is responsible for keeping virtual machines separate if the VMs are all hosted on the same server. In the IaaS model, VM separation is handled by the provider, but operating-system vulnerabilities must be taken care of by the consumer.
- Because networking has several layers, network security is usually divided between the provider and the consumer, with the cloud provider responsible for its own network and the consumer responsible for the virtual network or “virtual private cloud” on top.
- Middle-ware security, which includes databases, application servers and queuing systems, is a shared responsibility if one is using PaaS, with the provider often being responsible for updates and the consumer responsible for security-relevant settings such as encryption.
- Security at the application layer is the cloud user’s responsibility in the SaaS model.
- Data access security is always the consumer’s responsibility.
Dotson says, “The root cause of many security incidents is an assumption that the cloud provider is handling something when it turns out nobody was handling it. Many real-world examples of security incidents stemming from a poor understanding of the shared responsibility model come from open Amazon Web Services Simple Storage Service (AWS S3) Buckets. Sure, AWS S3 storage is secure and encrypted, but none of that helps if you don’t set you access controls properly.”
Cloud security is a vast subject, and it’s difficult to do justice to it in a single post. The challenges and security principles mentioned above are all, individually, subjects for deeper study with their own subcategories, mitigation methods and best practices. In our introductory cloud security post, we have tried a provide a broad overview of the subject with all its complexities. In subsequent posts, we will be exploring different aspects of it in greater detail.