Before moving to the main important cores of the cloud we need to understand what are the boundaries of cloud computing we need to understand some concepts.
In legacy environments, we had bright-line definitions of the organization’s IT perimeter.
Everything inside the perimeter belonging to the organization, including data, hardware, and risk; everything outside was someone else’s problem.
We could even point at a specific location, a given cable leaving the facility or campus, and know that it, there, was the place where our control ended and someone else’s began.
We could armor our defenses at the interface between the internal environment and external factors, building up a demilitarized zone (DMZ).
This is not readily the case with cloud computing. In the cloud motif, our data resides inside an IT environment owned by someone else, riding on a hardware infrastructure that does not belong to us, and largely outside our control.
Our users operate programs and machines that we have limited access to and knowledge of. It is, therefore, difficult to know exactly where the boundaries exist in cloud models, where our risks are, and how far they extend.
In this section, we’ll apply a notional perspective of cloud computing boundaries.
But it is extremely important to remember this: under the current legal and regulatory regime, the cloud customer is always ultimately legally liable for any loss of data. This is true even if the cloud provider demonstrates negligence or malice.
Note
The cloud customer can seek restitution if the cloud provider fails in some way, causing damage to the customer.
For instance,
If the cloud provider hires an administrator who then illegally sells access to data belonging to the cloud customer, the customer can sue the provider for damages.
However, the cloud customer is still legally responsible for all mandates applicable to the loss, such as complying with data breach notification laws in that jurisdiction.
This requirement does not cease just because the cloud customer has outsourced operations to the cloud provider.
So what do these boundaries look like, in the different cloud models? What are the boundaries of cloud computing?
What are the IaaS Boundaries in cloud computing?
In Infrastructure as a Service (IaaS), the cloud customer has the most responsibility and authority of all the possible cloud models.
The provider is responsible for the buildings and land that compose the datacenter; must provide connectivity and power; and creates and administers the hardware assets the customer’s programs and data will ride on.
The customer, however, is in charge of everything from the operating system and up;
all software will be installed and administered by the customer, and the customer will supply and manage all the data.
In terms of security, the cloud customer is still losing some of the control featured in the legacy environment.
For instance,
The customer obviously does not get to select the specific IT assets, so the security of the acquisition process (during which we normally vet vendors and suppliers) must be entrusted to the cloud provider.
The cloud customer may also lose some ability to monitor network traffic inside the data center the cloud provider might not be willing to allow the customer to place monitoring equipment or sensors on the provider’s infrastructure.
Also might refuse to share traffic data they, the provider, have collected themselves.
This makes auditing difficult, which also affects security policy and regulatory compliance.
An organization migrating to the cloud will necessarily have to drastically adapt its security policy to reflect the new constraints and will have to find some way to provide the required deliverables to appease regulators.
This must be negotiated at the outset of migration, and early communication with regulators is highly advisable.
For instance,
If regulators insist on scheduled audits of the environment where data processing takes place, what form will those audits take, if the organization cannot now directly audit network traffic and event logs?
In IaaS, though, the cloud customer may still collect and review event logs from the software, including the OS, which still lends a great deal of insight into the usage and security of the data.
What are the PaaS Boundaries in cloud computing?
With Platform as a Service (PaaS), the cloud customer loses still more control of the environment, because the cloud provider is now responsible for installing, maintaining, and administering the OS(s).
This will entail further modification of the security policy and additional efforts to ensure regulatory compliance.
The cloud customer still, however, gets to monitor and review software events, since the programs running on the OS will belong to the customer.
The responsibilities for updating and maintaining the software will also be the customers.
However, updates and administration of the OS now fall to the provider, which, while posing a loss of control for operational and security purposes on the customer’s part, will also represent cost savings and an increase of efficiency.
What are the SaaS Boundaries in cloud computing?
With Software as a Service (SaaS), of course, most of the control of the environment is ceded to the provider.
The cloud customer will not have ownership of the hardware, the software, or the administration of either; the customer only supplies and processes data to and in the system.
For all relevant intents and purposes, the cloud customer, as an organization, has taken the role and responsibilities of what a common user would have in a legacy environment-
Few administrative rights, few privileged accounts, and very few permissions and responsibilities.
To repeat what we’ve mentioned earlier: the customer remains liable for all statutory and contractual obligations related to the safeguarding of the data but, in this case, has little control over how that data is protected.
The cloud provider is now almost exclusively responsible for all system maintenance, all security countermeasures, and the vast majority of policy (and implementation of that policy) affecting the data.
In all three models, the customer is giving up an essential form of control: physical access to the devices on which the data resides.
This is a massive and serious increase of risk and loss of assurance; anyone who can physically access the location of the data can eventually take it, with or without permission.
Can we implement means to reduce the likelihood of breaches as a result of this risk?
Of course and we need to do so, in order to demonstrate due diligence.
Such measures might include ensuring the cloud provider performs strict background checks and continual monitoring of all personnel with access to the datacenter, extreme physical security measures at the data center location, encryption of data processed, and stored in the cloud.
Assignment of contractual liability to the provider bearing in mind that legal liability remains with the customer, however, and so forth.
It is important to remember, though, that the residual risk of loss of data to physical access will always remain, even if attenuated.
