All Cloud Models are Not the Same: Understanding the Security Implications of SaaS, PaaS and IaaS

AddThis Social Bookmark Button

by Mark O’Neill

Today, many organizations are successfully using cloud computing to generate improved cost savings and greater efficiencies. However, despite the uptick in cloud computing adoption, there remains some confusion around the use of cloud computing models. This piece will not only examine the security challenges associated with cloud computing models but also provide solutions to these issues.

Cloud computing models can be segmented into three groups: Software as a Service (SaaS), Platform as a service (PaaS) and Integration as a Service (IaaS). The models have different uses; for example, SaaS typically focuses on managing access to applications, while PaaS focuses primarily on protecting data, and IaaS focuses on managing virtual machines.

The SaaS cloud model is typically responsible for managing access to applications. A large organization using cloud computing and leveraging applications or SaaS has to consider the security risks and potential IT help desk costs associated with multiple passwords accessing applications.

Consider, for example, the security risks and help desk costs in a scenario where an organization has thousands of employees using cloud services. In this instance, is the organization compelled to create thousands of mirrored users on the cloud platform? Additionally, in a situation where an organization has 15,000 employees, it is too costly to have the IT department assign individual new user passwords for accessing cloud services? This process becomes even more time consuming if a user forgets his or her password for the SaaS service, and resets it, as the user now has an extra password to take care of.

An organization can solve these issues by opting for a single sign-on option between on-premise systems and cloud. By leveraging a single sign-on option, users are able to access both their own desktops and any cloud services via a single password. This approach ensures that single sign-on users are less likely to lose passwords, thus reducing the assistance required by IT help desks. Single sign-on also saves time and money when a user joins or leaves the organization, as there is only a single password rather than multiple passwords that require activation or deactivation. This approach also reduces the incidences of dangling accounts – which are vulnerable to unauthorized usage – after users leave organizations.

Another cloud model, Paas, focuses primarily on protecting data. An ongoing challenge for organizations regarding PaaS is determining how to protect private information before sending it to the cloud. Cloud service providers recommend that, if private data is sent onto their systems, it must be encrypted, removed or redacted. These are solid recommendations, but users should know that encryption, in particular, is a CPU-intensive process which threatens to add significant latency to the process.

A best practice approach is to ensure that any solution implemented brokers the connection to the cloud service and automatically encrypts confidential user data such as home addresses, social security numbers or even medical records. Additionally, on-the-fly data protection can help by detecting private or sensitive data within the message sent to the cloud service provider, and encrypting it to allow only authorized personnel decryption rights. Alternatively, the private data could also be removed or redacted from the originating data and re-inserted when the data is requested back from the cloud.

With its focus on managing virtual machines, IaaS invariably touches on governance and usage monitoring. Cloud service providers offer varying degrees of cloud service monitoring; however, an organization should consider implementing its own cloud service governance framework. This framework gives the organization independent control and is especially useful for those organizations using multiple cloud services to access HR, ERP and CRM systems. In effect, a successful cloud service governance framework prevents employees accessing information or services they are not permitted to use. It also prevents them from running up costs on virtual machines or setting up their own accounts to access services paid for by the organization.

Within the scenario of independent monitoring, it is worth flagging that cloud providers have different methods of accessing information, as well as different security models. So, in order to use multiple cloud providers, organizations have to understand that, at a technical level, they are all different.

A solution to these issues is a cloud broker, which brokers the different connections between the cloud providers. This means organizations can use various services together with easy monitoring and governing controls. Additionally, it allows them to move up a level, where they are using the cloud for the benefits of saving money.

When considering a security framework to address these challenges, IT Directors need to decide if they will build their own systems or buy an off-the shelf cloud service broker. There are merits to each approach. If it is decided to build the broker in-house, the IT Directors would need to build cloud service broker-like functionality from scratch. However, with this route, other components of the solution, such as reporting and an audit trail, may not be present. An off-the-shelf cloud service broker product will provide these extra features as standard and should also provide, at a minimum, support for all the relevant WS-Security standards.

Similar But Not the Same
Cloud computing is not fundamentally insecure; it just needs to be managed and accessed in a secure way. As with any new technology, new risks and new opportunities are created. It is critical that organizations avoid applying a broad brush one-size-fits-all approach to security across all cloud models.

Image: Cloud Models

When an organization is considering cloud security, it should consider both the differences and similarities between the three Cloud Models: Software as a Service (Saas), Platform as a service (PaaS) and Integration as a Service (IaaS). An organization must also consider either an in-house Build or Cloud Brokerage solution. Cloud computing security comes down to the similarities and differences between the three cloud models. So, whether you build or buy, it is your cloud that you have to secure.

Mark O'Neill is the CTO of Vordel (Newton, MA).