If I asked you what security products you had in place to manage your risk within your IT organisation 10 years ago, you’d probably have been able to list a half dozen different tools and confidently note that most of your infrastructure was covered by a common set of key products such as antivirus, DLP, firewalls, etc. But in a world with IaaS, PaaS and SaaS, maintaining a comprehensive approach becomes far more difficult.
Whilst many hosted services have overlapping functionality and thus may share specific security requirements, most will typically limit your control of the underlying components to some degree in an effort to reduce the overall management overhead. (This is, in effect, the benefit of paying for a service rather than hosting your own instances, after all, and part of the flexibility gained from the various different service offerings available on the market today.) As a result, many will require a completely different method of assessing security and compliance.
If you’re only just getting started with cloud services or are diversifying your cloud service offerings, it’s important to consider your security/compliance requirements for each and every type of service added to your portfolio. For those who haven’t been knee deep in these abbreviations, let’s take a look at the three common service offerings and their associated security requirements.
IaaS (Infrastructure as a Service)
IaaS (Infrastructure as a Service) is, in effect, where a cloud provider hosts the infrastructure components traditionally present in an on-premises data center including servers (operating systems), storage and networking hardware as well as the virtualization or hypervisor layer.
From a security perspective, this offering is probably the closest to traditional in-house IT infrastructure, (Indeed, many companies will effectively move existing server payloads to IaaS either partially or completely resulting in a hybrid solution.) and it will require much of the same security tools as a result.
Tools that acknowledge/are aware of the infrastructure’s hosted status, though, may offer significant benefits as IaaS server instances may “come and ago” dynamically (taking advantage of ease of doing so in a hosted environment). This means licensing and data recording should be flexible enough to record compliance state for a temporarily “spun up” virtual machine that is brought online for only a few hours before being removed whilst not costing you ongoing license costs, for example.
PaaS (Platform as a Service)
PaaS (Platform as a Service) effectively builds upon the IaaS model because, in addition to the underlying infrastructure services discussed above, the service provider will host and manage the traditional operating systems, middleware, etc. for its users.
PaaS simplifies workload deployment since they have prebaked configurations. In turn, it may limit the amount of flexibility available to administrators to create the environment they want, including some security options which might be appropriate for your particular security and compliance objectives.
PaaS changes the security model somewhat in other ways, too, since security tools may be baked into the service. For IT houses with a mixture of PaaS and traditional infrastructure, this can create a challenge in ensuring coverage is up to the same standards across devices. Compliance teams, in particular, should ensure that any required security options (particularly around authentication options, in my experience) are available and set consistently. Compliance tools that help you to do so in both environments will give you a significant advantage when it comes to assessing your entire estate to ensure there are no gaps.
SaaS (Software as a Service)
Finally, SaaS (Software as a Service) providers will host and manage entire IT infrastructures including applications. A SaaS user in effect does not install anything; they simply log in and uses the provider’s application instance, which runs on the provider’s infrastructure. Typically, this restricts the level of customization but significantly reduces the “configuration surface area” for applications since the SaaS provider is responsible for the ground-up configuration of the application.
With SaaS, there is typically far less visibility into security options, but this does not mean it should be taken for granted. It’s still key to ensure that compliance and security assessments do not simply assume that security “works.” Care must be taken both during initial service selection (making sure it has security controls that can help you assess your security posture) and that sufficient information is available to re-assess security over time.
Iaas, PaaS or SaaS? Key challenges to Consider
Making sure your security and compliance tools cover these areas is key. Gone are the days of simply ensuring that you have “antivirus on all machines.” Instead, each category of service may require different approaches to take account of their own particular strength and weaknesses. For compliance, in particular, this may require a lot of extra “homework” before making purchasing decisions to ensure that teams can demonstrate compliance of the toolset(s) to particular standards, especially if your current security tool doesn’t or can’t provide assessment functionality for services that are managed by your cloud provider.
One final challenge that remains with all the tooling noted above is getting consistent reporting for assessment, and one that the current providers, in my opinion at least, has still not fully “solved” (although it’s something that providers are clearly working hard on). At the moment, many teams are having to build their own turnkey solutions to bring together different data sources to deliver a single high-level overview or consistency detailed reporting; that’s key to making data more accessible across the business. But I am hopeful that future vendors will take advantage of the API’s available on these platforms to deliver reporting insights that serve this need.
As I noted in my introduction, there’s a lot of new challenges facing compliance and security in providing protection and ensuring consistency between these varied environments. Even so, the potential for these services to make “security as default” means even with these challenges, it’s very tempting to keep a close eye on new services, as they can fast-track your security to ever high standards. Just don’t forget that one tool may not fit all whilst the industry is growing up as rapidly as it is!