There are five essential pillars of cloudiness. In this recurring blog series, we’ll count down from No. 5 to No. 1. In this first post, we discuss security.
One of the biggest misconceptions about cloud computing today is the perception that it’s insecure. The reality is that the risks traditional applications face are the same as those found in the cloud. The cloud, does, however, change the security conversation and security becomes, in part, the responsibility of both the application builder and the cloud hosting provider.
There are three common scenarios that describe cloud hosting: Infrastructure-as-a-Service (IaaS), Platform-as-a-Service (PaaS) and Software-as-a-Service (SaaS). Each of these scenarios places the responsibility for its security in both the cloud hosting provider’s hands as well as yours. As you move from IaaS to SaaS, your responsibility for security decreases.
For a deeper dive into security on the open cloud, check out the DevOps Blog.
IaaS is the foundational building block of the cloud. In an IaaS environment, the cloud-hosting provider supplies raw compute power. This puts the onus on you, the consumer, to implement the correct security protocols. When building on IaaS environments, one of the most commonly overlooked issues is system patching. As a new server is booted, it is likely already out of date when it comes to software patches. These images were built and exposed months, sometimes years, before being built into servers.
This is where software configuration management (SCM) tools such as Chef and Puppet can save the day. These tools help bring systems up to date on patches, and can also be configured to lay down configuration files you have hand-built to suit your applications needs.
PaaS adds to IaaS and provides the next building block of the cloud. IaaS lays down an environment in which an application can be developed and housed. PaaS doesn’t just provide raw compute but also libraries and frameworks for the environment it supports. This lowers the liability and responsibility assumed by the consumer.
SaaS is considered the top level of cloud applications. A full application has been built, security has been baked in at every level and you now have the least amount of responsibility in ensuring application security. You are not relieved of all security management, this is just traditionally where the least amount of management has to occur, and that is enticing to many businesses.
A good rule of thumb is that the further down the stack a cloud offering is, the more responsible you are as a user for tactically implementing and managing security. Ultimately, security in the cloud is a shared responsibility between you and your cloud hosting provider. It is key to understand what each side provides in terms of security, as well as the legal and contractual aspects.
For a more detailed technical look at security, check out Racker Hart Hoover’s post on the DevOps Blog. Tune in next week when Wayne talks about the second pillar of cloudiness: being agile through product knowledge. Need more information about developing on the cloud? Be sure to check out our Rackspace Cloud API documentation and the Rackspace DevOps blog.