In the case of PaaS, risk may be mitigated by a combination of contract terms and technical engineering choices and controls. This is because the user is responsible for much of the application environment and some security features can be built in to mitigate risk.
With IaaS, a combination of contract terms and technical engineering choices and controls is still relevant, but there is much more emphasis and choice about technical security infrastructure, as the user has control and responsibility for much of the operating environment.
Summing it Up
The cloud is not a “one-size-fits-all” proposition, and service model options provide choices, depending on needs. For each service model, there are differently balanced options to mitigating risk; primarily the proportions of contractual and engineering resources, which may require more direct participation in technology risk decisions by the user.
Here are some key takeaways from the cloud service model discussion:
• For SaaS, the primary risk control mechanism is contract terms, whereas PaaS and IaaS require a combination of technical engineering controls as well as contract terms to effectively manage risk.
• The lower down the SPI model the chosen service exists, the more control and customization available. The trade-off is more responsibility for security and management.
• The nature and types of specialty skill sets required to assess and manage risk will vary depending on the service model chosen.
• Decisions need to be made about whether security controls can be outsourced to a provider, or maintained under the control of the user organization or an independent third party.
• To meet regulatory and compliance requirements, in every case, organizational policies require careful review and consideration must be given to whether the choice of a particular model is valid.
• Regardless of the appeal that any given technical approach may have, the business implications require alignment with an organization’s overall Enterprise Security Risk Management program.
Shayne Bates, CCSK, CPP, CHS-V, FABCHS, leads security cloud strategy development as a Consultant to Microsoft Global Security. He has extensive experience in cloud, security technology, business process and operations, and has served in advisory roles to executive teams collaborating with stakeholders on a global scale. A frequent contributor to security topics, Bates has numerous published articles on topics including risk management and cloud computing, and he maintains a blog at http://www.cyber-crime.biz.