Infrastructure-as-a-Service Security Responsibilities

WHAT IS IAAS?

Infrastructure as a Service (IaaS) allows you to rent computing resources from a third party that you then access through the web. You essentially outsource having to set up or manage up racks, servers, storage, cooling equipment, power, or a physical place to house it all. You simply pay for only the computing capacity you need, and leave the dirty work of maintaining and securing the computer hardware to someone else, without incurring any upfront capital costs. See additional tips

It’s no secret many organizations rely on popular cloud providers like Amazon and Microsoft for access to computing infrastructure. The many perks of cloud services, such as the ability to quickly scale resources without the upfront cost of buying physical servers, have helped build a multibillion-dollar cloud industry that continues to grow each year.

Still, even though cloud has helped many companies, there are tradeoffs with cloud services such as Infrastructure-as-a-Service (IaaS) that organizations need to be aware of. With IaaS, a cloud provider maintains basic IT infrastructure such as servers, storage, and networks on your behalf, which is convenient but also raises concerns at the same time.

WHY ARE IT PROS WORRIED ABOUT CLOUD SECURITY?

With On-Premises infrastructure, you have complete visibility and control over everything. You can physically see your infrastructure, and if something goes wrong, you have the power and ability to take immediate actions to fix issues.

But with cloud services, you need to trust your provider to properly secure your environment and respond to any security incidents in a timely manner, and as the data shows, many IT departments are hesitant to relinquish control and are afraid of outages or data loss that might occur in the cloud.

Adding to the worries, if a security incident occurs on cloud infrastructure, there’s sometimes confusion over who’s ultimately responsible for addressing the problem because there’s shared security responsibility between you and the provider. Who needs to take actions to remedy an issue depends on where in the stack the security incident actually occurred. Therefore, it’s critical for cloud users to know who’s responsible for what.

HOW IAAS SECURITY RESPONSIBILITIES ARE DIVIDED

The two dominant cloud players, Amazon Web Services and Microsoft Azure, have both documented what they are responsible for as cloud providers when it comes to security. For example, in their shared responsibility model, Amazon Web Services has helpfully broken AWS security responsibilities into two main buckets:

“Security of the cloud” = everything the provider does, including:

• Securing global cloud infrastructure, including physical access to data center facilities where your IT resources are housed
• Protecting the physical networking, compute, and storage resources, so you don’t have to worry about setting up servers or storage hardware, patching firmware, or installing and properly disposing of drives, etc.
• Securing Hypervisors that host and manage your VMs running on cloud infrastructure

“Security in the cloud” = everything you’re responsible for, including:

• Guarding data generated or collected by your applications
• Maintaining secure operating system, network, and firewall configurations
• Identifying and accessing control mechanisms tied to any platforms or applications you manage
• Protecting information by ensuring data integrity, using encryption, and properly using identity management technologies

HOW SECURITY RESPONSIBILITIES DIFFER BETWEEN IAAS, PAAS, AND SAAS

Microsoft also draws a clear line that separates what cloud Service Providers and cloud customers are responsible for. Their March 2016 document entitled Shared Responsibilities for Cloud Computing goes one step further by breaking down responsibility areas across different cloud models including IaaS, PaaS, and SaaS.