A security checklist for SaaS, PaaS and IaaS cloud models

Key security issues can vary depending on the cloud model you're using. Vordel CTO Mark O'Neill looks at 5 critical challenges.

How does security apply to Cloud Computing? In this article, we address this question by listing the five top security challenges for Cloud Computing, and examine some of the solutions to ensure secure Cloud Computing.

Organizations and enterprises are increasingly considering Cloud Computing to save money and to increase efficiency. However, while the benefits of Cloud Computing are clear, most organizations continue to be concerned about the associated security implications. Due to the shared nature of the Cloud where one organization's applications may be sharing the same metal and databases as another firm, Chief Security Officers (CSOs) must recognize they do not have full control of these resources and consequently must question the inherent security of the Cloud. However, it is important to note that Cloud Computing is not fundamentally insecure; it just needs to be managed and accessed in a secure way.

All Cloud Models Are Not the Same

Although the term Cloud Computing is widely used, it is important to note that all Cloud Models are not the same. As such, it is critical that organizations don't apply a broad brush one-size fits all approach to security across all models. Cloud Models can be segmented into Software as a Service (Saas), Platform as a service (PaaS) and Integration as a Service (IaaS). When an organization is considering Cloud security it should consider both the differences and similarities between these three segments of Cloud Models:

SaaS: this particular model is focused on managing access to applications. For example, policy controls may dictate that a sales person can only download particular information from sales CRM applications. For example, they are only permitted to download certain leads, within certain geographies or during local office working hours. In effect, the security officer needs to focus on establishing controls regarding users' access to applications.

PaaS: the primary focus of this model is on protecting data. This is especially important in the case of storage as a service. An important element to consider within PaaS is the ability to plan against the possibility of an outage from a Cloud provider. The security operation needs to consider providing for the ability to load balance across providers to ensure fail over of services in the event of an outage. Another key consideration should be the ability to encrypt the data whilst stored on a third-party platform and to be aware of the regulatory issues that may apply to data availability in different geographies.


IaaS: within this model the focus is on managing virtual machines. The CSOs priority is to overlay a governance framework to enable the organization to put controls in place regarding how virtual machines are created and spun down thus avoiding uncontrolled access and potential costly wastage.

The following check-list of Cloud Security Challenges provides a guide for Chief Security Officers who are considering using any or all of the Cloud models. Note, some of these issues can be seen as supplementing some of the good work done by the Cloud Security Alliance, in particular their paper from March 2010 Top Threats to Cloud Computing [PDF link].

1 2 Page 1
Page 1 of 2
Get the best of CSO ... delivered. Sign up for our FREE email newsletters!