Clouds by definition are nebulous and vague. Their use in IT models and discussions goes back decades, long before the current cloud computing models. A ‘cloud’ was convenient shorthand for showing a link between a system on one side and a terminal or another system on the other. Today however, the concept has evolved. Not only do such clouds link computers, but increasingly they are the computer. Aspects of on-site IT security therefore apply to cloud computing too. For that reason alone, it’s time to firm up definitions about the type of computing that goes on in the cloud, and the IT security approaches suited to each one.
The current segmentation of cloud computing activities is SaaS, IaaS and PaaS. SaaS or Software as a Service refers to software applications made available to client organisations by providers. Clients may have some latitude in configuring the application for their use, but usually cannot access underlying operating systems or hardware. IaaS, which is Infrastructure as a Service, operates at a level below. The provider supplies computing resources including for example database software. The client then loads its own applications on top. Finally, PaaS, or Platform as a Service, is the ‘bare metal’ service that provides raw computing power (processors and memory), on which the client builds the operating system/database/application stack of its choice.
SaaS usage often therefore makes data access security a priority in terms of user access rights. IT security managers and chief security officers (CSOs) focus on access controls that may depend on factors such as location, time of day and type of computing device being used for access. By comparison, the IaaS model is concerned with the creation and deletion of virtual machines, and the need to protect the client enterprise from potential wastage or unauthorized use of resources. Finally, for PaaS (Platform as a Service), which also includes basic cloud data storage, there is an emphasis on data protection in a general sense, including backups and confidentiality. None of these aspects is exclusive to any one kind of cloud computing. However, they provide an indication of the areas where IT security managers are likely to be spending more of their time.