Cloud computing is a service that goes beyond server virtualization technology. In the last post, I have shared my thoughts on possible solutions to the ensure security of your data in the SaaS cloud service delivery model. In this post, I would like to uncover PaaS and IaaS cloud service delivery model security issues and solutions.
PaaS security issues and possible solutions:
The PaaS model is similar to SaaS with the only difference being that your cloud service provider offers an application development environment instead of a server deployment environment to run an application. You can run applications pertaining to your business requirements using a provided compliant development tool. Either a web-based or an enterprise network development environment is used to develop an application with the technical code blocks provided by your cloud service provider.
If you choose the PaaS model, then you may have to find ways to manage data security issues, authentication, access and authorization issues, as well as, working with distributed applications.
Authentication, Access, and Authorization (AAA) issues:
You have to share the PaaS cloud development environment with other customers of your provider. So, efficient authentication, access control, and authorization frameworks should be deployed by your provider to ensure the separation of every customer.
Whatever attacks you encounter with non-cloud environments, the same kind of attacks such as phishing and impersonation are possible with cloud development environments. As the application development authentication, access control and authorization are under cloud service providers, most organizations drop the proposal of moving to the cloud.
You have to judge your PaaS cloud service provider’s authentication, access control and authorization framework efficiency by estimating the level of security provided to your application in the cloud. You need to ask questions about the mechanism used to authenticate usernames and passwords, how data is accessed, and about their application-based authorization verification mechanisms.
Possible solutions to address AAA issues are –
- Your PaaS provider should address password complexity requirements.
- For effective identity management, end to end encryption is essential. Your provider should use cryptographic hashing mechanisms.
- Role-based user accounts authorization framework can enable users to access control the application as per their role. So, modifications and data access control at the application level can be assigned to a specific role and protected with stringent authorization permission.
Data Security:
An application needs data that is not encrypted to process it. To secure data in the cloud, it is encrypted and stored, so the level of data security is reduced in the cloud when a PaaS application processes it. The possible solution is not moving sensitive business data or at least not allowing it to be processed by the PaaS application.
Distributed applications:
Though cloud provides scalability and agility, the distributed applications that are intended to move to the cloud should be tuned to tackle design and security issues. Working with distributed applications within the enterprise network environment is simple, but when migrated to the cloud they can become hard to manage if they are not synchronized to the cloud environment.
IaaS security issues and possible solutions:
IaaS cloud service delivery model provides computing infrastructure on an outsourced basis to organizations to perform business operations. Depending whether you choose a public cloud or private cloud, IaaS security issues vary. With a private cloud, you can access, control and manage computers, as well as the network and storage infrastructure. With a public cloud, you can only manage virtual machines and the services you create on them.
For both private and public cloud, there are certain security issues that you should consider.
Data Leakage:
When the IaaS model is deployed in a public or hybrid cloud, it can encounter data leakage issues and you can manage them by creating a transparent process that expounds who can access the data and what happens after it is accessed.
Authentication and Authorization:
Robust authentication and authorization frameworks can ensure effective Data Loss Prevention. You need to ask your cloud service provider to implement a two-factor or multifactor authentication process to access the critical data.
End to End Logging and Reporting:
A comprehensive range of logging and reporting methods are required when you want to deploy IaaS in private, public and hybrid clouds effectively. With robust logging and reporting mechanisms, you can track where your data is stored, how the data is accessed, and which virtual machines monitor and store the data.
End to End Encryption:
To prevent offline attacks, you need to encrypt complete information that moves to the cloud. You need to even encrypt communications between virtual machines and other resources in the IaaS cloud computing infrastructure.
Information security is a major consideration for cloud adoption. You transform your business to a secure cloud environment by choosing a provider who can deploy security features in the cloud. You need to ask your cloud service provider tough questions with the knowledge you gleaned from these posts. You also need to ask about data location, technologies used and compliance to industry standards.
Sudhakar Goverdhanam
CEO Prime Technology Group LLC
Prime Directives 