Cloud Computing Security Architecture
Security in cloud computing is a major concern. Proxy and brokerage services should be employed to restrict a client from accessing the shared data directly. Data in the cloud should be stored in encrypted form.
Before deploying a particular resource to the cloud, one should need to analyze several aspects of the resource, such as:
- A select resource needs to move to the cloud and analyze its sensitivity to risk.
- Consider cloud service models such as IaaS, PaaS,and These models require the customer to be responsible for Security at different service levels.
- Consider the cloud type, such as public, private, community, or
- Understand the cloud service provider’s system regarding data storage and its transfer into and out of the cloud.
- The risk in cloud deployment mainly depends upon the service models and cloud types.
Understanding Security of Cloud
The Cloud Security Alliance (CSA) stack model defines the boundaries between each service model and shows how different functional units relate. A particular service model defines the boundary between the service provider’s responsibilities and the customer. The following diagram shows the CSA stack model:
Key Points to CSA Model
- IaaS is the most basic level of service, with PaaS and SaaS next two above levels of services.
- Moving upwards, each service inherits the capabilities and security concerns of the model beneath.
- IaaS provides the infrastructure, PaaS provides the platform development environment, and SaaS provides the operating environment.
- IaaS has the lowest integrated functionality and security level, while SaaS has the highest.
- This model describes the security boundaries at which cloud service providers’ responsibilities end and customers’ responsibilities begin.
- Any protection mechanism below the security limit must be built into the system and maintained by the customer.
Although each service model has a security mechanism, security requirements also depend on where these services are located, private, public, hybrid, or community cloud.
Understanding data security
Since all data is transferred using the Internet, data security in the cloud is a major concern. Here are the key mechanisms to protect the data.
- access control
- audit trail
The service model should include security mechanisms working in all of the above areas.
Separate access to data
Since the data stored in the cloud can be accessed from anywhere, we need to have a mechanism to isolate the data and protect it from the client’s direct access.
Broker cloud storage is a way of separating storage in the Access Cloud. In this approach, two services are created:
- A broker has full access to the storage but does not have access to the client.
- A proxy does not have access to storage but has access to both the client and the broker.
- Working on a Brocade cloud storage access system
- When the client issues a request to access data:
- The client data request goes to the external service interface of the proxy.
- The proxy forwards the request to the broker.
- The broker requests the data from the cloud storage system.
- The cloud storage system returns the data to the broker.
- The broker returns the data to the proxy.
- Finally, the proxy sends the data to the client.
All the above steps are shown in the following diagram:
Encryption helps to protect the data from being hacked. It protects the data being transferred and the data stored in the cloud. Although encryption helps protect data from unauthorized access, it does not prevent data loss.
Why is cloud security architecture important?
The difference between “cloud security” and “cloud security architecture” is that the former is built from problem-specific measures while the latter is built from threats. A cloud security architecture can reduce or eliminate the holes in Security that point-of-solution approaches are almost certainly about to leave.
It does this by building down – defining threats starting with the users, moving to the cloud environment and service provider, and then to the applications. Cloud security architectures can also reduce redundancy in security measures, which will contribute to threat mitigation and increase both capital and operating costs.
The cloud security architecture also organizes security measures, making them more consistent and easier to implement, particularly during cloud deployments and redeployments. Security is often destroyed because it is illogical or complex, and these flaws can be identified with the proper cloud security architecture.
Elements of cloud security architecture
The best way to approach cloud security architecture is to start with a description of the goals. The architecture has to address three things: an attack surface represented by external access interfaces, a protected asset set that represents the information being protected, and vectors designed to perform indirect attacks anywhere, including in the cloud and attacks the system.
The goal of the cloud security architecture is accomplished through a series of functional elements. These elements are often considered separately rather than part of a coordinated architectural plan. It includes access security or access control, network security, application security, contractual Security, and monitoring, sometimes called service security. Finally, there is data protection, which are measures implemented at the protected-asset level.
A complete cloud security architecture addresses the goals by unifying the functional elements.
Cloud security architecture and shared responsibility model
The security and security architectures for the cloud are not single-player processes. Most enterprises will keep a large portion of their IT workflow within their data centers, local networks, and VPNs. The cloud adds additional players, so the cloud security architecture should be part of a broader shared responsibility model.
A shared responsibility model is an architecture diagram and a contract form. It exists formally between a cloud user and each cloud provider and network service provider if they are contracted separately.
Each will divide the components of a cloud application into layers, with the top layer being the responsibility of the customer and the lower layer being the responsibility of the cloud provider. Each separate function or component of the application is mapped to the appropriate layer depending on who provides it. The contract form then describes how each party responds.