Who is responsible for security in the Cloud?
Three are at least three categories of service providers in the cloud : 1. IaaS - Infrastructure as a Service (e.g. GoGrid, Amazon EC2) 2. PaaS - Platform as a Service (e.g. Force.com, Google App Engine) 3. SaaS - Software as a Service (e.g. Salesforce, SAP Business By design, ...) The details of these different providers is not in the scope of this post. I will write about how to manage security on these platforms and who is responsible for which part of the security. there are two main parties involved - service providers and customers.
1. IaaS: The providers treat the applications deployed as black boxes and are mostly agnostic to the life cycle management of the hosted application's stack. The stack runtime is executing in the customer's container (Java, php, Ruby, etc) and is managed by the customer. Since the application is completely controlled by the customer, the application level security is also the responsibility of the customer. It should be the onus of the web application development to architect the application deployed in the cloud to be able to handle Internet threat model. Countermeasures to handle security has to adhere to some of the standards like OWASP top ten. (The 2010 release candidate spec for OWASP is here). Customers should design and implement applications with a "least-privileged" runtime model. (description of least-privileged). The architecture of IaaS hosted application resembles enterprise web application model. However, in an enterprise, distributed applications run with many controls in place to secure the network connections. Comparable controls might not exist in in an IaaS platform. 2. PaaS: Since the cloud service providers are providing the platform, they provide the necessary mechanism to secure the platform stack including the runtime engine ( the customers seldom have control over the platform). Vendors are reluctant to expose the technical details of the platform to prevent attacks. But usually these are multi tenant platforms. Therefore the core security tenants are isolation and containment of the applications from each other. The security provisioning is rather proprietary in PaaS. e.g. Google App Engine gives HTTS support and Force.com offers Apex API to configure security parameters. Essentially the broad choices are: SSL, user authentication using service providers user store, and basic privilege management. 3. SaaS: The service provider owns the entire stack in this case and is responsible for providing a secure stack. The customer can usually manage the security policies like user access rights and role assignments. In some cases, the customers might have access to read write access at object level. There might be security glitches even when the provider controls and hosts a sophisticated stack. For example Google had a slight glitch. And again. To achieve maximum economies of scale, the providers might be hosting the customers on the same virtual box, separating the data only though program logic (tags, etc). Therefore the customers have to be cognizant that security violations might occur due to a bug in the code. In summary, depending on IaaS, PaaS or SaaS, the responsibility of security provisioning changes. Customers have most of the responsibility in the case of using IaaS, and it is service providers responsibility to provision a secure app all the way in a SaaS model