SaaS, PaaS and IaaS: the risk level strongly differs

Now cloud computing is one of the most discussed subjects among IT specialists. And not very well about what there is a speech – the SaaS models (software as a service), IaaS (infrastructure as a service) or PaaS (platform as a service) – the conversation comes down to a subject of cloud security soon.

According to Milind Govekar (Milind Govekar), the analyst of Gartner, in the annual research Gartner conducted among Chief information officers and concerning investments into technologies, cloud computing sharply moved with the 16th to the second position. According to him, now the main objective is security of clouds. Really, the vast majority of clients, having learned about a cloud, say that they will create a virtual data processing center in the territory rather – it still sometimes call "a private cloud" (private cloud) – as they are badly familiar with security issues of cloud computing and opportunities of their solution.

"We are at the initial stage of a fantastic travel to a new computational model which, at all its expected advantages, is quite difficult", - Jay Heiser, the analyst of Gartner agrees. "What does this travel easy and attractive the same makes also impossible to estimate the related risks. The existing information security standards, such as SAS 70 and ISO 27001 and 27002, are not sufficient that leads both clients, and suppliers to disappointment".

"With respect thereto security of cloud computing will be the main activity of vendors next year", - Jonathan Penn, the analyst of Forrester Research considers. "The developers who are engaged in security got used to sell the products directly to the enterprises. However over time they will use cloud providers for delivery of the products to the market. It will be time of sweeping changes and shocks", - he adds.

At the same time such organizations as Cloud Security Alliance (CSA) deal with issues of cloud security and look for ways of their solution. CSA issued the overview of the main strategic and tactical security concerns concerning clouds and also the recommendation about their elimination recently. The organization separated this area into two main directions: management and implementation.

The questions concerning management include: resource management of the enterprise, compliance to statutory requirements, information lifecycle management, compatibility.

The following questions belong to implementation: traditional safety, ensuring continuous work of business and recovery after failures; DPCs; response to incidents, warning and recovery; security of applications; enciphering and key management; identification and access control; virtualization.

CSA also made the overview of the main threats of different models of cloud computing and offered recommendations about their solution. Treat the means allowing to cope with these threats XML SOA, means of data encryption, managing keys, management of identification and access, the virtual systems of access isolation and many other things.

Experts emphasize that the risk level in three cloud models strongly differs, and solutions of security issues also differ depending on the interoperability layer. Requirements to security remain identical, but in different models, SaaS, PaaS or IaaS, the level of control over security changes. From the logical point of view nothing changes, but possibilities of physical implementation cardinally differ.

SaaS. As explain in CSA, in the SaaS model the application is started on cloud infrastructure and is available via the web browser. The client does not manage network, servers, operating systems, data storage and even some opportunities of applications. For this reason in the SaaS model the fundamental obligation on security almost completely lays down on suppliers.

PaaS. On an explanation of CSA, PaaS assumes that clients create applications using the programming languages and tools supported by vendor and then unroll them on cloud infrastructure. As well as in the SaaS model, the client cannot manage or control infrastructure – networks, servers, operating systems or storage systems – but has control over deployment of applications.

In the PaaS model users should pay attention to security of applications and also to the questions connected with management of API such as confirmation of access rights, authorization and check.

IaaS. Though here clients do not control the cornerstone cloud infrastructure, they have control over operating systems, data storage and deployment of applications and, perhaps, limited control over the choice of network components.

In this model there are several built-in opportunities of security without protection of infrastructure in itself. It means that users should manage and ensure safety of operating systems, applications and content, as a rule, through API.