The lure and mystique of cloud computing sometimes gives customers a false sense of security (no pun intended) that the cloud will auto-magically provide new levels of security for their applications, without them even having to think about it. However, the cynics out there will also remind us that the cloud is just ‘someone else’s computer’ and to a certain extent, that is true.
With cloud computing having been prevalent for several years now, many will be familiar with the ‘Pizza as a Service’ comparisons that have been bandied around on LinkedIn, Facebook and Twitter. People are trying to use a pizza analogy of ‘make it yourself’ versus buying it from a take-away or restaurant.
As seen in the example above, this analogy has been used to explain the differences between on-premises IT, and cloud computing offerings from IaaS, PaaS and SaaS.
Breaking this down further, and more relevant to IT, we see a clear division of responsibilities when it comes to IaaS when compared to on-premises IT.
In the diagram above, all the main elements are detailed from an on-premises and IaaS perspective. Arguably, there could be another box for ‘cloud management platform’, and you will find differing versions of the diagram out there.
Virtualisation is a key technology that has enabled cloud computing, and cloud management platforms have enabled the self-service capabilities that we now know as cloud, from the virtual machine (CPU and RAM) and storage to the complex virtual networking provision.
Starting at the bottom of the stack, it is worthwhile to spend a moment discussing the physical aspects of cloud computing. With on-premises implementations, the customer would be responsible for everything, including the physical data centre or computer room and the security of that, as well as power, cooling and networking.
When thinking about cloud, in most cases the cloud service provider will be leasing space from a data centre provider, so customers should be asking:
- Where is the data centre? Whose data centre is it? Are there several locations?
- How secure is it? What about perimeter security, CCTV, entry systems?
- What industry accreditations does the data centre provider have?
- Can I visit?
- What provisions are there for power, cooling, networking?
- How resilient are all of these things?
- What industry accreditations do you have for your processes and compliance?
- ISO 27001, ISO 27000, ISO 9001, CSA STAR, HIPAA, GCLOUD, etc
- What SLAs do you provide around availability, performance and support?
- Who has access to my cloud environment?
- Will the data stay in the locations I have selected? Could it be moved or copied elsewhere, perhaps out of country?
Security and Compliance
Here at iland, we take security and compliance very seriously. As we’ll discuss later, most enterprise organisations have built up compliance teams over recent years, especially in the heavily regulated industries, and had to attain certifications or attestations. So, when consuming cloud services, these organisations will need the same levels of compliance and security, but it is often difficult to achieve when working with public cloud providers who are trying to be all things to all people.
Through our cloud console, iland is able to share all our compliance documentation which includes:
- ISO 27001 for Information Security Management Systems (ISMS)
- ISO 20000 for IT Service Management
- ISO 9000 for Quality Management Systems (QMS)
- SSAE 16/18, SOC 2
- PCI-DSS (for iland as a business, and the cloud infrastructure)
- NIST 800-53 Security controls for US Federal Systems following FISMA
- HIPAA/HITECH regarding data privacy and security provisions for safeguarding healthcare data
- CSA STAR Certification – Gold
- UK ICO / G-Cloud 9
In the second part of this blog series, we’ll drill down into the upper section of the stack, the aspects that will be managed by the customer.