Although moving workloads to the cloud decreases IT’s responsibilities, both SaaS and PaaS models require targeted cloud security strategies to safeguard applications.
Most enterprises think that their workload security is now in the hands of the cloud PACS system provider when they migrate to the cloud.
It’s actually the shared responsibility model that’s enforced by most cloud vendors. Cloud computing service categories differ in terms of the security model — SaaS, PaaS, and IaaS — but, in all cases, security responsibilities are split to some extent between cloud providers and their customers.
IT operations administrators’ security responsibilities become more clear when applications and servers are hosted on premises; teams can physically access, or at least have direct control over, the IT resources running in their data centers. Administrators must drastically change how they manage workloads when using cloud computing — in which users “rent” compute resources from a provider. This can create security gaps in some cases.
Admins can apply some best practices they learned while securing on-premises resources to SaaS and PaaS.
Access control is a crucial component of SaaS security
Enterprises can access SaaS applications that are hosting and managed by a cloud provider. When compared to how they maintain on-premises workloads, IT teams might appear to be free from any security responsibilities. There is, however, a problem with comparing apples to oranges.
SaaS applications still require IT teams to manage configurations and access controls.
However, it is still up to IT teams to manage SaaS application configuration and access controls, since SaaS providers do manage and secure infrastructure, OS, and applications. All SaaS solutions have admin accounts, through which IT staff can add or remove user permissions for the application, whether it’s for Microsoft Office 365, a learning management system, or an HR tool. Administrators can also disable or enable certain application features based on enterprise needs and compliance models. To prevent accidental SaaS-wide changes, only allow a select group of operations admins access to these accounts, and where possible separate the admin accounts from daily user accounts.
In cloud migrations, permissions are grant temporarily, and IT teams can forget to reset access after the migration is complete. Auditing account access is a critical component of cloud security.
Security is a greater concern with PaaS
PAaS deployments increase IT staff responsibilities in comparison to SaaS. Admins have more control of their applications using PaaS, transferring more security responsibilities from the cloud provider to the user.
Security can be a challenge for operations staff when it comes to PaaS, since the team that owns the application is usually responsible for app security rather than the security and infrastructure team. PaaS, on the other hand, places a lot of security responsibility on people whose primary concern is the delivery of applications.
For PaaS, enterprises are more responsible for security than for SaaS.
Cloud adoption has exacerbated the gap between the application owner and the security team. While operations teams won’t be responsible for securing the cloud application itself, they will have to ensure that external parties follow security best practices.
Changes to toolsets and processes
Security testing and verification in the cloud can’t be successful using traditional tools and processes. If enterprises plan to run security scans or penetration tests on their cloud provider’s resources, for example, they may need to notify their cloud provider. Cloud providers generally define certain practices that users must follow to perform these tests, even if they do not require these notifications. Also, the internal security team of a cloud provider has the right to respond to tests on the platform.
Several third-party products, such as HyTrust and CipherCloud, can validate the security of cloud deployments, including cloud providers’ native tools, such as AWS Security Hub and Azure Security Centre. It’s simply bad for business for cloud providers to see their users experiencing a security issue, so make use of the tools available to you.
Overall, however, cloud security considerations are more about processes and verification than technical shortcomings. Rather than relying on one tool, IT operations teams should emphasise policy and procedure.