When some enterprises migrate to the cloud, they wrongly assume that workload security is now in the hands of their cloud provider.
In reality, most cloud vendors enforce what's called a shared responsibility model. This model varies depending on the cloud computing service category -- SaaS, PaaS or IaaS -- but, in all cases, security responsibilities are split to some degree between the cloud provider and its users.
When applications and servers are hosted in-house, IT operations admins' security responsibilities are clearly defined; teams can physically see, or at least have direct control over, the IT resources that run in their data center. With cloud computing, however -- where users essentially "rent" compute resources from a provider -- admins must drastically change how they manage workloads. And, in some cases, this creates gaps in security coverage.
While SaaS and PaaS each present unique cloud security considerations, admins can also apply some key best practices from their days of securing on-premises resources.
SaaS security emphasizes access control
With SaaS, enterprises access an application that is fully hosted and managed by a cloud provider. It might appear as if IT teams are free from any security responsibilities, particularly when compared to how they maintain on-premises workloads. The problem, however, is that this is an apples-to-oranges comparison.
The SaaS provider does manage and secure the infrastructure, OS and application stack -- but IT teams still need to manage configurations and access controls for SaaS applications. Most SaaS offerings -- whether Microsoft Office 365 or a learning management system or HR tool -- come with admin accounts, from which IT staff can add or remove user access permissions for the application. Admins also can enable or disable certain application features to fit the enterprise's needs and compliance model. Limit access to these administrative accounts to only a select group of operations admins, and where possible, make the admin accounts separate from their daily user accounts to avoid accidental SaaS-wide changes.
A cloud migration is a complex process, during which IT teams might grant permissions on a temporary basis -- and they can forget to reset access after the migration is complete. Account auditing is an essential cloud security consideration for all applications hosted there.
PaaS security brings greater responsibility
Compared to SaaS, IT staff's responsibilities increase with PaaS deployments. PaaS grants admins more control over the application stack -- which shifts more security responsibilities from the cloud provider to the user.
PaaS security can be a challenge, organizationally, for operations staff, since the team that owns the application typically handles application security, rather than the security and infrastructure team. In other words, PaaS puts a lot of security responsibility onto people whose primary concern is application delivery.
This gap between the application owner and the security teams has always existed, but it becomes more evident with cloud adoption. Ops teams may find they have another hat to wear; while they won't be responsible for securing the cloud application itself, they will have to enforce -- and verify -- that other parties follow security best practices.
A change to toolsets -- and processes
Another cloud security consideration is that ops and the security teams can't use traditional tools and processes for cloud security testing and verification. For example, in some cases, enterprise IT teams must notify their cloud provider when they plan to run security scans or penetration tests on that provider's resources. Even if a cloud provider does not require these notifications, it generally defines certain practices that users must follow to perform these tests. In addition, a cloud provider's internal security teams have the right to respond to tests performed on the platform.
Cloud providers' native tools, such as AWS Security Hub and Azure Security Center, along with several third-party products, such as HyTrust and CipherCloud, can validate cloud deployment security. Cloud providers don't want to see their users experience a security issue -- because it's simply bad for business -- so take advantage of the tools they offer.
Overall, though, cloud security considerations are less about technical shortcomings, and more about processes and verification. IT ops teams need to emphasize policy and procedure -- this will go much further to secure a cloud deployment than any one tool can.