Infrastructure-as-a-Service Security Responsibilities

peter-tsai

Infrastructure-as-a-Service

It’s no secret many organizations rely on popular cloud providers like Amazon and Microsoft for access to computing infrastructure. The many perks of cloud services, such as the ability to quickly scale resources without the upfront cost of buying physical servers, have helped build a multibillion-dollar cloud industry that continues to grow each year.

Still, even though cloud has helped many companies, there are tradeoffs with cloud services such as Infrastructure-as-a-Service (IaaS) that organizations need to be aware of. With IaaS, a cloud provider maintains basic IT infrastructure such as servers, storage, and networks on your behalf, which is convenient but also raises concerns at the same time.

Infrastructure-as-a-Service infographic

Case in point, in the 2016 Spiceworks report Diving into IT Cloud Services, 52 percent of IT professionals surveyed said loss of control over infrastructure is a barrier to moving IT services to the cloud. In the same survey, the majority of IT pros also said the risk of security breach is a top concern with cloud services. Additionally, 36 percent of respondents were worried about the risk of data loss and keeping cloud costs under control.

Why are IT pros worried about cloud security?

With On-Premises infrastructure, you have complete visibility and control over everything. You can physically see your infrastructure, and if something goes wrong, you have the power and ability to take immediate actions to fix issues.

But with cloud services, you need to trust your provider to properly secure your environment and respond to any security incidents in a timely manner, and as the data shows, many IT departments are hesitant to relinquish control and are afraid of outages or data loss that might occur in the cloud.

Adding to the worries, if a security incident occurs on cloud infrastructure, there’s sometimes confusion over who’s ultimately responsible for addressing the problem because there’s shared security responsibility between you and the provider. Who needs to take actions to remedy an issue depends on where in the stack the security incident actually occurred. Therefore, it’s critical for cloud users to know who’s responsible for what.

How IaaS security responsibilities are divided 

The two dominant cloud players, Amazon Web Services and Microsoft Azure, have both documented what they are responsible for as cloud providers when it comes to security. For example, in their shared responsibility model, Amazon Web Services has helpfully broken AWS security responsibilities into two main buckets:

Security of the cloud” = everything the provider does, including:

  • Securing global cloud infrastructure, including physical access to data center facilities where your IT resources are housed
  • Protecting the physical networking, compute, and storage resources, so you don’t have to worry about setting up servers or storage hardware, patching firmware, or installing and properly disposing of drives, etc.
  • Securing Hypervisors that host and manage your VMs running on cloud infrastructure

Security in the cloud” = everything you’re responsible for, including:

  • Guarding data generated or collected by your applications
  • Maintaining secure operating system, network, and firewall configurations
  • Identifying and accessing control mechanisms tied to any platforms or applications you manage
  • Protecting information by ensuring data integrity, using encryption, and properly using identity management technologies

How security responsibilities differ between Iaas, PaaS, and SaaS

Microsoft also draws a clear line that separates what cloud Service Providers and cloud customers are responsible for. Their March 2016 document entitled Shared Responsibilities for Cloud Computing goes one step further by breaking down responsibility areas across different cloud models including IaaS, PaaS, and SaaS.

AWS

With all three service models, the cloud provider is solely responsible for physical security of infrastructure. And like with AWS all Azure users, regardless of what cloud model they take advantage of, are responsible for data classification and availability to make sure sensitive customer data is properly handled across all of the cloud models. But there are varying degrees of responsibility when it comes to end-point protection, identity & access management, application level controls, network controls, and host infrastructure. As a general rule of thumb, the more control over infrastructure you have, the more security responsibility you have as well, with IaaS providing the most control and responsibility, followed by PaaS, and then SaaS.

customer-cloud

How to stay on top of cloud security

In summary, a first step towards securing cloud infrastructure and data is understanding what you’re responsible for so you can take appropriate action. The cloud providers try to make this very clear so you know what you’re getting into when you sign up for their services.

But just because the providers make some promises, you still need to be careful. Providers like Amazon Web services and Azure are not typically on the hook for data loss or a breach due to labor disputes, utility failures, natural disasters, orders of government, or acts of terrorism or war. They also include language in their service agreements that state you are still responsible for backing up and archiving your content in case of a disaster… so even when the cloud provider is on the hook for security, you still need a solid “plan B” just in case.

By Peter Tsai, IT Analyst at Spiceworks

Formerly a systems administrator, programmer, and server engineer who has lived IT from the inside and out, Peter now works to serve up IT articles, reports, infographics, and livecasts that inform and entertain millions of IT pros in the Spiceworks Community worldwide.

Bruce Guptill

Resolving IT-Finance Asynchronization on Cloud Improvements

Resolving IT-Finance Asynchronization While CIO-CFO communications and alignment may never seem better, what is considered to be C-level, strategic “alignment” increasingly obscures realities that keep ...
Back G Cloud

Five Reasons Why There’s A Digital Stampede To The Cloud

The Digital Stampede As the transfer of digital assets to the cloud gathers momentum, we examine the fundamental reasons why it’s happening Many organizations have ...
Miha Kralj

SaaS Native – Design, Delivery and Management of Applications

Going cloud native, the right way Moving from a traditional IT organization to one that’s cloud native is an inevitability for all businesses. This is ...
Matt Holleran

Cloud Platforms, Marketplaces, and Startups

Cloud Platforms, Marketplaces, and Startups One of the most exciting recent developments in the cloud software business is the proliferation of partner ecosystems, with large ...
Aruna Headshot

66% Say They’d Switch Vendors in Order to Get an Intelligent Online Meeting Solution

People are getting frustrated with online and video meetings. In fact, according to a recent survey, 85% say they are challenged with these types of ...
Sangeeta Chhabra

What Accountants Should Know About The Cloud

Cloud Accounting Cloud technology has been at the top of the charts of new-age technologies for a long time now. Almost every industry in the ...
It’s Magic.png