What is cloud security? How is it different from traditional on-premises network security?
Written by Ryan Bergsma, Training Director at CSA
Cloud is also becoming the back end for all forms of computing, including the ubiquitous Internet of Things and is the foundation for the information security industry. New ways of organizing compute, such as containerization and DevOps are inseparable from cloud and accelerating the digital revolution.
So what is cloud security? How is security for cloud computing different from on-premise security? In this blog I’ll attempt to answer those two questions.
(To learn more about best practices for securing a cloud environment read the CSA Security Guidance for Cloud Computing.)
What makes cloud computing unique from other forms of computing?
There are many different ways of viewing cloud computing: It’s a technology, a collection of technologies, an operational model, and a business model, just to name a few. Essentially cloud computing is a new operational model that combines the benefits of abstraction (virtualization) and automation (orchestration) for new ways of delivering and consuming technology. Cloud separates application and information resources from the underlying infrastructure and the mechanisms used to deliver them. Cloud describes the use of collection of services, applications, information and infrastructure comprised of pools of compute, network, information, and storage resources. Cloud provides an on-demand model of allocation and consumption.
Essential characteristics of cloud computing, service models and deployment models are all depicted in the following graph.
What are the differences between on-premise and cloud security?
There are security benefits to using cloud since cloud providers have significant economic incentives to protect customers. However, these benefits only appear if you understand and adopt cloud-native models and adjust your architectures and controls to align with the features and capabilities of cloud platforms. In fact, taking an existing application or asset and simply moving it to a cloud provider without any changes will often reduce agility, resiliency, and even security, all while increasing costs.
Cloud is primarily developer-driven.
Compared to on-premise security, cloud is primarily developer-driven. Every provider is fundamentally different at the lowest possible levels and old patterns are now new antipatterns. Often you will have things that look the same in the cloud but they are most definitely not the same. (For example: is a cloud route table the same as the one on your routers? The answer is no.)
The key difference between cloud and traditional computing is the metastructure.
At a high level, both cloud and traditional computing adhere to the following logical model that helps identify different layers based on functionality: infrastructure, metastructure, infostructure and applistructure. However cloud metastructure includes the management plane components, which are network-enabled and remotely accessible.
In the cloud, you tend to double up on each layer. Infrastructure, for example, includes both the infrastructure used to create the cloud as well as the virtual infrastructure used and managed by the cloud user. In private cloud, the same organization might need to manage both; in public cloud the provider manages the physical infrastructure while the consumer manages their portion of the virtual infrastructure. As we discuss further in the CSA Security Guidance v4 this has profound implications on who is responsible for, and manages, security. These layers tend to map to different teams, disciplines, and technologies commonly found in IT organizations.
Cloud differs extensively from traditional computing within each layer of the meta structure. While the most obvious and immediate security management differences are in metastructure, cloud differs extensively from traditional computing within each layer. The scale of the differences will depend not only on the cloud platform, but on how exactly the cloud user utilizes the platform.
Cloud security scope and responsibilities change
It might sound simplistic, but cloud security and compliance includes everything a security team is responsible for today, just in the cloud. All the traditional security domains remain, but the nature of risks, roles and responsibilities, and implementation of controls change, often dramatically. Though the overall scope of security and compliance doesn’t change, the pieces any given cloud actor is responsible for most certainly do.
Think of it this way: Cloud computing is a shared technology model where different organizations are frequently responsible for implementing and managing different parts of the stack. As a result, security responsibilities are also distributed across the stack, and thus across the organizations involved. This is commonly referred to as the shared responsibility model. Think of it as a responsibility matrix that depends on the particular cloud provider and feature/product, the service model, and the deployment model.
Below is a graphical representation showing how responsibilities change depending on the cloud model (public, private or hybrid).
Common security pain points in cloud computing.
The following 13 domains which comprise the CSA Security Guidance highlight areas of concern for cloud computing and are tuned to address both the strategic and tactical security “pain points” within a cloud environment, and can be applied to any combination of cloud service and deployment model.
The domains are divided into two broad categories: governance and operations. The governance domains are broad and address strategic and policy issues within a cloud computing environment, while the operational domains focus on more tactical security concerns and implementation within the architecture. You can read these best practices for free by downloading the CSA Security Guidance for Cloud Computing.
Learn more about cloud security by downloading the CSA Security Guidance for Cloud Computing.
If you want to learn about cloud security we recommend that you start by reading the CSA Security Guidance for Cloud Computing which is freely available on our website. We also have a Certificate of Cloud Security Knowledge (CCSK) that provides a baseline level of knowledge for security and non-security professionals alike to understand how cloud changes security and best practices for staying secure in the cloud.