Cloud service customers remain responsible for securing the hosts that perform the computation work.
In my previous column (SC, May), I discussed network-level considerations that IS professionals should be thinking about with the use of public cloud computing. This time, we move up the “stack” to host-level considerations.
In reviewing host security, public cloud service users should factor the context of cloud computing service models – software-as-a-service (SaaS), platform-as-a-service (PaaS) and infrastructure-as-a-service (IaaS) – to assess and model cloud service risks. The threat spectrum varies from steady threat to increased threat, depending upon the type of cloud service – and the sensitivity of data stored and processed in the cloud.
It is no secret that cloud service providers employ numerous hosts that scale horizontally to deliver a scalable and elastic cloud service. In some cases, the hosts are virtualised to improve the efficiency of the servers, and in most cases the computing architecture is well abstracted and hidden from customers. So, it is important that cloud service customers understand the host security model, including the layer of abstraction, and their duty to secure the hosts that perform the computational workload.
In a typical SaaS model, hosts are owned and managed by SaaS providers and the provider is responsible for hardening and securing the hosts. Large SaaS providers usually build and deliver their SaaS service using their own hardware hosted in a private data centre. It is conceivable that a SaaS service can be built on another provider's IaaS – either public or private (eg Amazon's EC2 public cloud). In that layered service model, the SaaS provider may be delegating some of the host security responsibilities to the IaaS provider.
A PaaS cloud enables a developer to develop and run web applications on the PaaS provider's infrastructure. This on-demand service is a multi-tenant model and applications interact with PaaS platforms via web services similar to service-oriented architecture (SOA). PaaS web services are typically exposed via REST, SOAP or XML over HTTP(S) protocols. PaaS service providers (eg Google's App Engine, Microsoft's Azure, Salesforce.com's Force.com) similarly own and manage the hosts delivering the PaaS service.
The API (application programming interface) acts as an abstraction layer between the developer and hosts and shields the OS of the host from developers (ie developers do not have direct access to PaaS hosts). The underlying assumption is that the web apps on the PaaS platform run in an isolated environment that provides limited access to the OS of the hosts. These limitations force the PaaS engine to distribute requests for the application across multiple hosts and to automatically provision and deprovision hosts according to the traffic demands. The lifecycle management of the PaaS hosts is always invisible to the developer, as is dynamic provisioning of hosts.
Examining the SaaS and PaaS models, it is apparent that there are many similarities between those cloud types. On the other hand, IaaS clouds such as Amazon's EC2, Sun's network.com and GoGrid share few similarities with higher-level cloud types – SaaS and PaaS. The unique characteristics and operating model of IaaS clouds bring very different sets of host security challenges, since host security management is delegated to the customer.
IaaS host architecture is such that every provisioned host on the IaaS platform will resemble a host running a standard OS. The OS of the host manifests itself in the form of VM images which, when instantiated using IaaS provider-specific commands, creates a full-blown host – with CPU, memory, network and I/O resources controlled by the OS. This means that the customer of IaaS now has complete control of the host operating system, and should shoulder the vast majority of the responsibility in securing the IaaS hosts.
Hence customers of IaaS services need to pay a lot more attention to the host security and management.
In my next column, we'll move up the stack again and talk about application security in cloud computing.