In the final post of our series on cloud migration, we’ve put together a list of strategic and immediate considerations as you plan to migrate your business to the cloud. From a high-altitude viewpoint, cloud security is based on a model of “shared responsibility” in which the concern for security maps to the degree of control any given actor has over the architecture stack. Thus, the most important security consideration is knowing exactly who is responsible for what in any given cloud project:
- Software as a Service: Typically, the cloud provider is responsible for the bulk of security concerns.
- Platform as a Service: The PaaS cloud provider is generally responsible for the security of the physical infrastructure. The consumer is responsible for everything they implement on the platform, including how they configure any offered security features.
- Infrastructure as a Service: The cloud provider has primary responsibility for the physical security of the servers and the data vulnerability of the network itself. The cloud user is responsible for the security of everything they build on the infrastructure.
A Simple Cloud Security Process Model
The development of a comprehensive cloud security process must consider a wide range of implementation details such as design models and reference architectures. The following high-level process model for managing cloud security contains only the most essential items that must appear in a cloud security process model:
- Identify enterprise governance, risk, and compliance requirements, and legacy mitigation controls.
- Evaluate and select a cloud provider, a service model, and a deployment model.
- Select your cloud provider, service, and deployment models.
- Define the architecture of your deployment.
- Assess the security controls and identify control gaps.
- Design and implement controls to fill the gaps.
- Develop and implement a migration strategy.
- Modify your implementation as necessary.
Each migration process should be evaluated based on its own set of configurations and technologies, even when these projects are based on a single provider. The security controls for an application deployed on pure IaaS in one provider may look very different than a similar project that instead uses more PaaS from that same provider.
The key is to identify security requirements, define the architecture, and determine the control gaps based on the existing security features of the cloud platform. It’s essential that you know your cloud provider’s security measures and underlying architecture before you start translating your security requirements into cloud-based controls.
Checklist: Applications and Data Security for SPI
The three commonly recognized service models are referred to as the SPI (software, platform and infrastructure) tiers. Here are the main application and data security considerations for businesses using cloud services.
- Cloud users must understand the differences between cloud computing and traditional infrastructure or virtualization, and how abstraction and orchestration impact security.
- Cloud users should evaluate their cloud provider’s internal security controls and customer security features, so the cloud user can make an informed decision.
- Cloud users should, for any given cloud project, build a responsibilities matrix to document who is implementing which controls and how. This should also align with any necessary compliance standards.
- Cloud users should become familiar with the NIST model for cloud computing and the CSA reference architecture.
- Cloud users should use available tools and questionnaires to evaluate and compare cloud providers.
- Cloud users should use available tools to assess and document cloud project security and compliance requirements and controls, as well as who is responsible for each.
- Cloud users should use a cloud security process model to select providers, design architectures, identify control gaps, and implement security and compliance controls.
- Cloud users must establish security measures, such as a web application firewall (WAF), that allow only authorized web traffic to enter their cloud-based data center.
Download our Cloud Migration Guide to learn more about approaches and security considerations for migrating your applications and data to the cloud.