SaaS, PaaS, and IaaS: A Security Checklist for Cloud Models
Cloud backup service providers achieve economies of scale and savings in costs by sharing computing resources across customers. It is possible that several entities may be sharing the same server and/or database for an application type or several application types. Security may be built in at a software level and will require effective management of user access protocols by the service provider and the service user.
It should be noted that all cloud constructs are not the same. Organizations must understand the type of cloud model that suits them best. Cloud models are categorized as Software as a Service (SaaS), Platform as a Service (PaaS) and Infrastructure as a Service (IaaS). There are a number of similarities and differences between these three cloud models. While SaaS is focused on software level management of access, PaaS is focused on encrypted data protection in storage and data availability to the end user with specific reference to the establishment of load balancing and fail over server systems. IaaS is concerned with management of virtual machines with prioritization on access controls.
Most CIOs are concerned with five major security challenges:
1. Protecting information before transmission to the cloud: Many cloud service providers create and deploy elaborate cryptographic algorithms for data encryption along with their software. This is a CPU intensive process at the user end.
2. Tracking user activity: Cloud backup services help end users track user activity by provisioning for and building into their software systems an automatic and independent system of audit. The solution also helps the consuming enterprise monitor and report on such activity.
3. Temptation to replicate the Organization in the cloud: While thousands of users within the enterprise would demand access to enterprise applications in the cloud, the CIO is thrown into a dilemma. Cloud backup and recovery service providers resolve the problem by provisioning for integrated cloud software based user management systems that permit assignment of rights and permissions at granular levels to users.
4. Governance issues: This is more common with the IaaS model. Cloud backup service providers build-in virtual machine control systems and cloud security systems that challenge access attempts of rouge users and employees attempting to access restricted data stored on virtual machines.
5. Protection of API keys: While the software of the online cloud service may provide some safeguards, indiscriminate and irresponsible use of API keys will result in data breaches that cannot be blamed on the cloud service.