Securing the cloud starts with the cloud architecture. The critical piece to building the cloud computing security architecture is planning the visibility portion, aka the performance management strategy, of the cloud network. Visibility provides insight into potential flaws, traffic blockages, or locates suspicious activities in the network. SAN Org states it best: “Visibility is the key takeaway here, because you cannot protect systems you cannot see.”
Cloud security falls into a shared cloud responsibility model, meaning that both the provider and the consumer possess responsibility in securing the cloud. The best practice is for enterprises to carefully review the cloud service provider’s (CSP) service level agreement (SLA) to understand the enterprise’s responsibility of enforcing security measures. For all cloud service models, ResearchGate recommends these items for a secure cloud architecture:
- Apply Single Sign-On for multiple accounts with various service providers to make it easier on the IT administration staff to monitor the cloud.
- Use virtual firewalls instead of first-generation firewalls
- Incorporate data loss prevention tools
In addition to the advice from ResearchGate, enterprises should further protect the cloud by implementing a Security Information and Event Management (SIEM), a Denial-of-Service (DDoS) Attack Protection, and Anti-Virus Software.
How the Cloud Computing Security Architectures Vary Based on Cloud Service Models
While all cloud architecture models require performance management tools and strategy, the security architecture varies based on the type of cloud model — software-as-a-service (SaaS), infrastructure-as-a-service (IaaS), or platform-as-a-service model (PaaS). It’s important to distinguish the different service models, as The Cloud Security Alliance notes: “IaaS is the foundation of all cloud services, with PaaS building upon IaaS, and SaaS in turn building upon PaaS.”
IaaS Cloud Computing Security Architecture
This infrastructure provides the storage and networking components to cloud networking. It relies heavily on application programming interfaces (APIs) to allow enterprises to manage and interact with the cloud. However, cloud APIs tend to be insecure as they’re open and readily accessible on the network.
The CSP handles the security of the infrastructure and the abstraction layers. The enterprise’s security obligations include the rest of the stack, including the applications.
Deploying network packet brokers (NPB) in an IaaS environment provides the visibility into security issues within a cloud network. NPB’s direct traffic and data to the appropriate network performance management (NPM) and security tools. Along with deploying NPB to gather wire data, enterprises should log wires to view issues occurring at the endpoints in a network.
IaaS cloud computing service models require these additional security features:
- Virtual web application firewalls placed in front of a website to protect against malware.
- Virtual network-based firewalls located at the cloud network’s edge that guards the perimeter.
- Virtual routers
- Intrusion Detection Systems and Intrusion Prevention Systems (IDS/IPS)
- Network segmentation
SaaS Cloud Computing Security Architecture
SaaS centrally hosts software and data that are accessible via a browser. The enterprise normally negotiates with the CSP the terms of security ownership in a legal contract.
Cloud Access Security Brokers (CASB) play a central role in discovering security issues within a SaaS cloud service model as it logs, audits, provides access control, and oftentimes includes encryption capabilities.
Other security features for the SaaS cloud environment include:
- IP restrictions
- API gateways
PaaS Cloud Computing Security Architecture
CSA defines PaaS as the “deployment of applications without the cost and complexity of buying and managing the underlying hardware and software and provisioning hosting capabilities.”
The CSP secures a majority of a PaaS cloud service model. However, the security of applications rests with the enterprise. The essential components to secure the PaaS cloud include:
- IP restrictions
- API gateways