When leveraging the cloud, the cloud service consumer (CSC) and the cloud service provider (CSP) have a shared responsibility for securing the cloud services. As shown in Figure 9.1 , the further up the cloud stack consumers go, the more they shift the responsibility to the provider.
The cloud stack consists of four categories. At the bottom is the infra-structure layer, which is made up of physical things like data centers, server- related hardware and peripherals, network infrastructure, storage devices, and more. Companies that are not leveraging cloud computing or are building their own private clouds have to provide the security for all of this physical
Cloud Stack
User
Application
Login Registration Administration
Authentication Authorization User Interface Transactions
Reports Dashboard
OS Programming
Language App Svr Middleware Database Monitoring Application Stack
IaaS VendorCustomer Customer Customer
Vendor Vendor
PaaS
SaaS
Infrastructure
Stack Components
Who Is Responsible Service
Models
Vendor Supplies - Infrastructure Security You
do this
Figure 9.1 Infrastructure as a Service
infrastructure. For those companies leveraging a public cloud solution, the public cloud service provider manages the physical infrastructure security on behalf of the consumer.
Some companies might cringe at the thought of outsourcing infrastructure security to a vendor, but the fact of the matter is most public Infrastructure as a Service (IaaS) providers invest a substantial amount of time, money, and human capital into providing world-class security at levels far greater than most cloud consumers can feasibly provide. For example, Amazon Web Services (AWS) has been certifi ed in ISO 27001, HIPAA, PCI, FISO, SSAE 16, FedRAMP, ITAR, FIPS, and other regulations. Many companies would be hard pressed to invest in that amount of security and auditing within their data centers.
As we move up to the application stack layer, where PaaS solutions take root, we see a shift in responsibility to the providers for securing the underly-ing application software, such as operatunderly-ing systems, application servers, data-base software, and programming languages like .NET, Ruby, Python, Java, and many others. There are a number of other application stack tools that provide on-demand services like caching, queuing, messaging, e-mail, logging, moni-toring, and others. In an IaaS service model, the service consumer would own managing and securing all of these services, but with Platform as a Service (PaaS), this is all handled by the service provider in some cases. Let ’s elaborate.
There are actually six distinct deployment models for PaaS, as shown in Figure 9.2 .
The public hosted deployment model is where the provider provides the IaaS in the provider ’s own public cloud. Examples are Google App Engine, Force.com, and Microsoft Azure. In this model, the provider is responsible for all of the security for both the infrastructure and application stack. In some cases, the PaaS provider runs on top of another provider ’s infrastructure. For example, Heroku and Engine Yard both run on AWS. In the consumers ’ eyes, the PaaS provider is responsible for all of the infrastructure and application stack security, but in reality, the PaaS provider manages the application stack security but leverages the IaaS provider to provide the infrastructure security.
In the public-hosted model, only the PaaS provider is responsible for securing the actual PaaS software. The PaaS software is a shared service consumed by all PaaS consumers.
The public-managed deployment model is where the PaaS provider deploys on a public cloud of the CSC ’s choice and hires the PaaS provider or some other third party to manage the PaaS software and the application stack on its behalf. (Note: Not all PaaS providers have the ability to run on multiple public clouds.) In the public-managed model, the PaaS software needs to be managed by the customer, meaning it is up to the customer and its managed service provider to determine when to update the PaaS software when patches and fi xes come out. Although the consumer still shifts the responsibility of
security for the PaaS software and the application stack, the consumer is still involved in the process of updating software. In the public-hosted model, this all happens transparently to the consumer.
The public-unmanaged deployment model is where the PaaS provider deploys on an IaaS provider ’s public cloud, and the consumer takes the respon-sibility of managing and patching both the PaaS software and application stack.
This is a common deployment model within enterprises when a hybrid cloud is chosen. Often with a hybrid PaaS solution, the consumer must choose a PaaS that can be deployed in any cloud, public or private. PaaS providers that meet this requirement only deliver PaaS as software and do not handle the infrastruc-ture layer. An example of this model would be deploying an open-source PaaS
Cloud Stack
User
Application
Login Registration Administration
Authentication Authorization User Interface Transactions
Reports Dashboard
Application Stack
IaaS VendorCustomer Customer Customer
Vendor Vendor
PaaS
SaaS
Infrastructure
Stack Components
Who Is Responsible Service
Models
You do this
Vendor Supplies
- Application Stack Security - Infrastructure Security
Figure 9.2 Platform as a Service
like Red Hat ’s OpenShift on top of an open source IaaS solution like OpenStack, which can be deployed both within the consumer ’s data center for some work-loads and in a public cloud IaaS provider like Rackspace for other workwork-loads.
The private-hosted model is where a private PaaS is deployed on an externally hosted private IaaS cloud. In this model the consumer shifts the responsibility of the infrastructure layer to the IaaS provider, but still owns managing and securing the application stack and the PaaS software. An exam-ple of this model would be deploying an open source PaaS like Cloud Foundry on top of an open source IaaS solution like OpenStack, which can be deployed in a private cloud IaaS provider like Rackspace for other workloads. (Note:
Rackspace provides both public and private IaaS solutions.)
The private-managed model is similar to the public-hosted model except that the IaaS cloud is a private cloud, either externally hosted or within the con-sumer ’s own data center. If the IaaS cloud is externally hosted, then the only difference between the private-hosted and the private-managed model is that the consumer hires a service provider to manage and secure the PaaS and appli-cation stack and relies on the IaaS provider to manage and secure the infrastruc-ture layer. If the IaaS cloud is internal, then the consumer owns the responsibility for managing and securing the infrastructure layer, while the managed service provider manages and secures the PaaS software and the application stack.
The private-unmanaged model is where the consumer is in charge of securing the entire cloud stack plus the PaaS software. In reality, this is a private IaaS with the addition of managing a PaaS solution in the data center.
This is a popular option for enterprises that want to keep data out of the pub-lic cloud and want to own the security responsibility. Another reason is the consumer may want to run on specifi c hardware specifi cations not available in the public cloud or it may want to shift certain workloads to bare-metal (non-virtualized) machines to gain performance improvements. An example of this model is deploying a .NET PaaS like Apprenda on top of OpenStack running in an internal private cloud.
The next layer up is the application layer. This is where application devel-opment must focus on things like using secure transmission protocols (https, sFTP, etc.), encrypting data, authenticating and authorizing users, protecting against web vulnerabilities, and much more. For SaaS solutions, the respon-sibility for application security shifts to the provider as shown in Figure 9.3 .
At the top of the stack is the user layer. At this layer the consumer per-forms user administration tasks such as adding users to a SaaS application, assigning roles to a user, granting access to allow developers to build on top of cloud services, and so on. In some cases, the end user may be responsible for managing its own users. For example, a consumer may build a SaaS solu-tion on top of a PaaS or IaaS provider and allow its customers to self-manage access within their own organizations.
To sum up the security responsibilities, choosing cloud service and cloud deployment models determines which responsibilities are owned by the pro-vider and which are owned by the consumer. Once a consumer determines what the provider is responsible for, it should then evaluate the provider ’s security controls and accreditations to determine whether the provider can meet the desired security requirements.