Custom Security in the Cloud

May 16, 2010 by Jake Robinson
In my previous post, I mentioned some challenges made by Dan Lohrmann, CTO for the State of Michigan. Mr Lohrmann had some great insight into the challenges within within the Cloud Computing Security domain. Let’s talk about 3 specific challenges:

Who owns the end to end security?
Who owns the responsibility in the event of a breach?
Who owns the logs?

Now, before I answer these, we need to look at how the answers between cloud computing providers will vary. Let’s take a look at what I refer to as the "XaaS stack."

 

The XaaS stack
Let’s say we move to the top of the stack to SaaS. This means we don’t need to invest the manpower to handle our platform and infrastructure. This is great when a turnkey SaaS solution will meet all of our security requirements. 
 
We need to realize however, the higher we move up the stack, we lose 3 valuable abilities: Visibility, Control, and Customization.

So let’s get back to our questions. Answering within the context of IaaS, the answers become clear:

Who owns the end to end security?
IaaS gives you full control over the end to end security. You can utilize controls and procedures you already have in place, without having to conform to a Cloud Computing Provider’s proprietary system.

Who owns the responsibility in the event of a breach?
You have complete control and responsibility of every security aspect of your cloud infrastructure.

Who owns the logs?
You have 100% log visibility. The logs are in your Cloud Infrastructure, and thus belong to you.

In summary, more specific security requirements simply mean that you will need to start lower in the stack. Cloud hosting can meet any need you throw at it, just ask Logiq3!