There are two distinct points of view when discussing cloud security: the tenant’s point of view, and the cloud service provider’s point of view. Both of these points of view are legitimate, but often one is confused for the other, as we discuss our points of view without really clarifying. However, within each of these points of view are two distinctly different approaches to cloud security.

Cloud Security Point of View 1: The Tenant

When you think of security for the tenant, your viewpoint really matters. Many cloud service providers will tell the tenant about all that they do to secure the tenant from other tenants, but to be frank, that is only a part of what tenants need to know. The tenant has its own security policies to which it must adhere, regardless of the cloud’s security policies. When it comes to compliance, the tenant’s security policies always win. This is one reason why movement to the cloud hits roadblocks. If the cloud service providers cannot provide the underlying security postures, how can I really know if the cloud has met my (the tenant’s) security requirements?
We can all agree that cloud providers can do security better than nearly everyone else, but the provider is meeting its own policies, not mine as the tenant. There is no proof that such security practices have been met. Tenants still want an auditable collection of reports and tool outputs that prove that their policies have been met.
Even within each tenant, there are two approaches to cloud security:

  1. Trust the cloud provider, attempt to verify that the cloud provider has met the tenant’s security requirements, and if it has not, adjust the tenant policy. This may be feasible if the cloud is a community cloud, such as the New York Stock Exchange cloud, as community cloud security requirements are shared by the community.
  2. Add more security, such as SSO-based security by Adallom, Skyfence, etc., into the tenant’s tenancy in the cloud, or even augment security by adding in vendor-controlled firewalls and networking constructs for IaaS-based clouds. Each addition depends on the type of cloud in use. These types of tenants will look very closely at any cloud provider security feature to see if it meets their own requirements.

In either approach, the cloud provider is required to provide enough data to attest to its own security stance. While we know cloud providers can often do security better than many enterprises, they do not do a good job of allowing external attestation of that security as it impacts a tenancy. Because of this lack of information regarding security, I see an increasing number of tenants taking the second approach. This way, they can gain a handle on all their security policy requirements.
Unfortunately, because very few clouds have adopted CloudAudit today, the cloud handles the requests for audit information manually. At minimum, this should be automated and the proper tools built to allow tenants to audit the bits of the cloud themselves. Automation has yet to make it to this part of the secure hybrid cloud.

Cloud Security Point of View 2: The Service Provider

The cloud security provider’s perspective is quite different than a tenant’s. Its main goal is to ensure that two tenants do not mingle data, virtual machines, and other elements of their tenancies. Its secondary goal is to protect its management components from outside attack, which has a stated effect of hardening the entire environment to the cloud service provider’s security policies. Now, some may go further and prove compliance to PCI, HIPAA, and other compliance controls. However, when they do so, it is for a subset of their entire cloud.
The service provider point of view also has several approaches:

  1. Secure the service provider’s bits of the cloud and ensure tenants cannot cross any boundaries to another tenant. This ensures tenant security. What cannot be secured via technology, secure using process and procedures. These are all good starts, but cloud administrators still have access to an unprecedented amount of data about and within all cloud tenancies. Because of this, process and procedure are key to this approach’s success.
  2. Work with the tenants to enable the appropriate security down to the hardware in use. In effect, form a community cloud in which all tenants can benefit equally. Many SaaS clouds use this approach, as the tenants are often just users of the SaaS, grouped together in some fashion. But this can also be an approach to security for IaaS-based clouds that specialize in specific technologies, such as SAP, Oracle, etc.

These approaches by the cloud provider both work, but the audit responsibility is on the cloud provider. The cloud provider needs to provide auditability down to what each administrator is doing within a tenancy, either automatically or via process and procedure–style logs.

When in Doubt

If you are in doubt about your cloud provider’s approach, look at things from its point of view first. If you can get the audit logs you require, then the provider’s approach is useful to you. If you cannot, then the “trust but verify” approach to cloud security is really ineffectual. It is then time to implement your own in-tenant security mechanisms and track all access to your cloud-management portals. In effect, if your cloud provider cannot provide you with the necessary data, either get off that cloud or find a way to add your own security measures and feed them into your existing security mechanisms.
Which approach does your organization take to cloud security? How do you provide for security, compliance, and data protection of data stored in the cloud?