The use of the word “Cloud” to describe hosted IT services is somewhat of a misnomer. Even though its origin is from a diagram on paper it still conjures a vision of this floating entity over which you have no control and it may not be there in the morning. However it is a very pervasive marketing term and has strong acceptance.
Cloud is not so much a technology as a convergence of multiple streams of technology into a new service layer. It is categorised into three major service offerings which require different security considerations:
Infrastructure As A Service (IaaS) is the delivery of computer infrastructure (typically a platform virtualization environment) as a service. Rather than purchasing servers, software, data centre space or network equipment, clients instead buy those resources as a fully outsourced service. The service is typically billed on a utility computing basis and amount of resources consumed (and therefore the cost) will typically reflect the level of activity. Storage as a Service (remote backup) is often cited as a subset of IaaS.
Platform As A Service (PaaS) provides all of the facilities required to support the complete life cycle of building and delivering web applications and web services with no software downloads or installation for developers, IT managers or end-users.
Software As A Service (SaaS) is a model of software deployment whereby a provider licenses an application to customers for use as a service on demand. SaaS software vendors may host the application on their own web servers or download the application to the consumer device, disabling it after use or after the on-demand contract expires.
For SaaS and PaaS the primary security focus is around data integrity, availability and confidentiality whilst with IaaS the focus is on technical controls.
Every day more organisations are moving their data into the Cloud, with increasing reliance on web applications and hosted services as core components of their business operations.
More often than not the move to cloud services is driven by business divisions identifying a new solution they want now which is not dependant on internal IT resourcing or constraints. Unfortunately at times the value of the data or the issues around integration of cloud and on-premises data is overlooked. This can result in much post-implementation ad-hoc activities that can compromise data and system security.
Just as important the risks cannot be entirely outsourced. Servers go down, hardware fails, and networks lose connectivity. Underlying all these potential issues is the general risk of a business losing control over their own data and not being able to account for it if things go wrong.
Look out for Part 2...
Business Development Manager, Government & Commercial