As the cloud continues to expand with no end in sight, it’s only wise to invest in it. Infrastructure-as-a-Service, Platform-as-a-Service and Software-as-a-Service bring significant cost savings (personnel and ownership), improved performance, better reliability, freedom to scale and - above all - significant security benefits. It’s no wonder that so many businesses have already adopted all three of these models.
IaaS, PaaS and SaaS face very different security risks you will have to address if you decide to adopt them. It’s important to understand the shared responsibility model which defines the security obligations in the cloud and how it applies to each cloud service type. In IaaS, PaaS and SaaS alike, both CSPs and users are responsible for security and the scope of that responsibility is different for each cloud service type.
In this article, we explain the following:
- Who is accountable for security in IaaS, PaaS and SaaS
- What the security challenges are with IaaS
- What the security challenges are with PaaS
- What the security challenges are with SaaS
- How to eliminate those challenges
Security accountability in IaaS, PaaS and SaaS
The below diagram demonstrates the differences in security responsibilities in every cloud service model. Note that in IaaS users have the greatest security responsibility.
For information on the shared responsibility model, please refer to our earlier article.
IaaS security risks
IaaS is the basic level of cloud service, in which the provider hosts infrastructure components, including servers and networking hardware and is responsible for keeping them secure. In this model, protecting applications, data, user access, operating systems and virtual network traffic is in the customer’s hands.
Cloud providers offer different tools for securing their resources, but it’s up to the IT professionals to use them correctly. Here are the most common mistakes that put IaaS at risk:
- Data encryption turned off: Without encryption, data is exposed to theft and unauthorised access. Encryption is essential for data in transit, when it’s being moved from on-premises and cloud-based resources, and between different cloud applications. Organizations can use their own encryption keys or those offered by the service provider.
- Misconfiguration: Statistically, every organization has at least 14 misconfigured IaaS instances running, according to a McAfee report. The consequences? Over 2,200 misconfiguration incidents are reported per month, on average. Storage access that is open to the internet is the most common problem; as much as 5.5% of AWS S3 buckets are currently publicly readable, and that’s never a wise choice.
- Rogue cloud accounts: Unwarranted uses of cloud services are common with SaaS, but can occur in IaaS as well. These usually happen when an employee wants to use an application or resource not provisioned by their employer, and ends up using a cloud provider without informing the company’s IT department.
- Robust user role-based permissions: When developers, other users or even inactive accounts are able to do more than their role requires, the entire organization infrastructure is exposed to great risk.
PaaS security risks
In addition to infrastructure, PaaS offers the software and tools needed to build applications. It’s a great solution, so it’s one level up from IaaS. In this model, the user must secure user access, data and applications, while securing both the OS and the infrastructure become the CSP’s responsibility.
In PaaS, security boils down to data protection issues. Consider the following risks:
- Data encryption turned off: Just like in IaaS, leaving your data unencrypted exposes it to theft and unauthorised access.
- Robust user role-based permissions: We’ll say it once again: to ensure maximum protection of your data, permit each user to do the minimum.
- Unrevised SLAs: The SLA you sign with the CSP relates directly to the value of your data. Understand and negotiate the terms of remuneration in case the data is lost or compromised. Check if their security protocols are updated, etc.
SaaS security risks
In the SaaS model, CSPs host and manage the infrastructure and applications. In comparison with IaaS and SaaS, clients have less security responsibility. Nonetheless, they must ensure user access is sufficiently protected. Compromised passwords are the biggest security risk in SaaS.
We’ve recently covered SaaS security in a separate article. You can read it here.
Eliminating IaaS, PaaS and SaaS challenges: best practices
Many organizations operate in multi-cloud environments, where they use IaaS, PaaS and SaaS from different vendors. Regardless of which cloud service model you are using, we encourage you to take a look at the following best practices oriented at increasing the security of your cloud infrastructure.
- Research the CSP’s security practices
Find out what their security patch management plan is, when they last updated their security protocols, what their incident response and disaster management plans are, etc. It’s good to be prudent when it comes to your data and infrastructure. A McAfee study found that only 8% of cloud services meets the security requirements outlined in the CloudTrust Program and only 10% encrypt data at rest.
- Scan for inherited software liabilities
Most third-party platforms and libraries will have them. They can be inherited by developers if a prior check for vulnerabilities isn’t performed.
- Benefit from threat modeling
Security flaws may be introduced to the code in the early stages of the development process. Using threat modeling tools can be invaluable in identifying and eliminating these flaws. Take a look at Microsoft’s free threat modeling tool.
- Implement stringent role-based access controls
Ensure that both users and developers are allowed to do only what’s included in their job description and nothing more.
- Manage inactive accounts
Always deprovision inactive accounts and those belonging to former employees before hackers become interested in them. With services such as LinkedIn, it’s easy to find out who has recently left your company. Remember to lock root account credentials as well to block unauthorized access to admin accounts.
Eliminating public cloud security risks with Cloud SIEM
Traditional enterprise security tools aren’t the best fit for cloud services. Cloud infrastructure, with its virtual machines, storage and networks, requires solutions built specifically for that virtual environment.
Make sure you invest in a tool that provides unified security services and allows you to manage them centrally across all services and providers. In this way, you will have clear visibility over your infrastructure and will be able to streamline workflows.
Inability to collect data from off-premise assets exposes blind-spots for enterprises and is a serious barrier to adoption of cloud services. Sumo Logic removes those barriers. It is designed to effortlessly handle all of your log data, regardless of volume, type or location.
Our universal security tool collects data from on-premise environment, private, public and hybrid clouds, as well as SaaS, PaaS and IaaS. It visualizes and reports on threats in real time. Finally, it proactively uncovers events with an anomaly detection engine, so it doesn't require writing rules.
Sumo Logic Cloud SIEM for SaaS Security
As organizations leverage modern-day, SaaS applications like Office 365, Salesforce, Google Apps and Box, it is critical that they have visibility into user and administrator actions to help manage audit and compliance activities and identify unusual behaviors that might compromise data security.
- Get full visibility of who, what, where, when, & How?
- Anomalous user & access behavior Monitor
- Suspicious access from multiple locations
- Failed/ successful logins
- Monitor the admin activities
- Monitor configuration changes
- Privilege access abuse
- Monitor actions from compromised accounts
- Settings/ config changes and drifts
- Ensure the right data is accessed by the right users
- Data access monitoring by users, devices, locations
- Monitor for data exfiltration
Complete visibility for DevSecOps
Reduce downtime and move from reactive to proactive monitoring.