2022 Gartner® Magic Quadrant™ SIEM
Get the reportMore
As the cloud continues to expand with no end in sight, it’s only wise to invest in it. Infrastructure-as-a-Service, Platform-as-a-Service and Software-as-a-Service bring significant cost savings (personnel and ownership), improved performance, better reliability, freedom to scale and - above all - significant security benefits. It’s no wonder that so many businesses have already adopted all three of these models.
IaaS, PaaS and SaaS face very different security risks you will have to address if you decide to adopt them. It’s important to understand the shared responsibility model which defines the security obligations in the cloud and how it applies to each cloud service type. In IaaS, PaaS and SaaS alike, both CSPs and users are responsible for security and the scope of that responsibility is different for each cloud service type.
In this article, we explain the following:
The below diagram demonstrates the differences in security responsibilities in every cloud service model. Note that in IaaS users have the greatest security responsibility.
For information on the shared responsibility model, please refer to our earlier article.
IaaS is the basic level of cloud service, in which the provider hosts infrastructure components, including servers and networking hardware and is responsible for keeping them secure. In this model, protecting applications, data, user access, operating systems and virtual network traffic is in the customer’s hands.
Cloud providers offer different tools for securing their resources, but it’s up to the IT professionals to use them correctly. Here are the most common mistakes that put IaaS at risk:
In addition to infrastructure, PaaS offers the software and tools needed to build applications. It’s a great solution, so it’s one level up from IaaS. In this model, the user must secure user access, data and applications, while securing both the OS and the infrastructure become the CSP’s responsibility.
In PaaS, security boils down to data protection issues. Consider the following risks:
In the SaaS model, CSPs host and manage the infrastructure and applications. In comparison with IaaS and SaaS, clients have less security responsibility. Nonetheless, they must ensure user access is sufficiently protected. Compromised passwords are the biggest security risk in SaaS.
We’ve recently covered SaaS security in a separate article. You can read it here.
Many organizations operate in multi-cloud environments, where they use IaaS, PaaS and SaaS from different vendors. Regardless of which cloud service model you are using, we encourage you to take a look at the following best practices oriented at increasing the security of your cloud infrastructure.
Find out what their security patch management plan is, when they last updated their security protocols, what their incident response and disaster management plans are, etc. It’s good to be prudent when it comes to your data and infrastructure. A McAfee study found that only 8% of cloud services meets the security requirements outlined in the CloudTrust Program and only 10% encrypt data at rest.
Most third-party platforms and libraries will have them. They can be inherited by developers if a prior check for vulnerabilities isn’t performed.
Security flaws may be introduced to the code in the early stages of the development process. Using threat modeling tools can be invaluable in identifying and eliminating these flaws. Take a look at Microsoft’s free threat modeling tool.
Ensure that both users and developers are allowed to do only what’s included in their job description and nothing more.
Always deprovision inactive accounts and those belonging to former employees before hackers become interested in them. With services such as LinkedIn, it’s easy to find out who has recently left your company. Remember to lock root account credentials as well to block unauthorized access to admin accounts.
Traditional enterprise security tools aren’t the best fit for cloud services. Cloud infrastructure, with its virtual machines, storage and networks, requires solutions built specifically for that virtual environment.
Make sure you invest in a tool that provides unified security services and allows you to manage them centrally across all services and providers. In this way, you will have clear visibility over your infrastructure and will be able to streamline workflows.
Inability to collect data from off-premise assets exposes blind-spots for enterprises and is a serious barrier to adoption of cloud services. Sumo Logic removes those barriers. It is designed to effortlessly handle all of your log data, regardless of volume, type or location.
Our universal security tool collects data from on-premise environment, private, public and hybrid clouds, as well as SaaS, PaaS and IaaS. It visualizes and reports on threats in real time. Finally, it proactively uncovers events with an anomaly detection engine, so it doesn't require writing rules.
As organizations leverage modern-day, SaaS applications like Office 365, Salesforce, Google Apps and Box, it is critical that they have visibility into user and administrator actions to help manage audit and compliance activities and identify unusual behaviors that might compromise data security.
Reduce downtime and move from reactive to proactive monitoring.
Build, run, and secure modern applications and cloud infrastructures.Start free trial