Knowing the security context for each type of cloud service gives an enterprise security architect the starting point for evaluating cloud providers, according to John Overbaugh, Caliber Security Partners' managing director of security services. Evaluating different cloud service models' shared responsibility models, as well as each cloud provider's data classification approaches and privacy policies are essential first steps in selecting a type of cloud and an individual cloud provider.
In this podcast, Overbaugh discusses cloud service models and lays out security issues in the three Software, Platform and Infrastructure (SPI) models: infrastructure as a service (IaaS), software as a service (SaaS) and platform as a service (PaaS). In each model, the security administration responsibilities of the customer and those of the provider differ substantially, with more responsibility placed upon the customer in IaaS than PaaS. When choosing PaaS, however, the enterprise security architect must vet the tools the provider offers and the provider's infrastructure security.
Check that a cloud provider's system for data classification, or categorization of data for effective use, bears similarities to the enterprises, Overbaugh advises. If the enterprise categorizes data by, say, topical content, file size and creation date, so should the provider. Conduct a data classification assessment that covers the provider's network topology, workflows and data flows and systems hardware and software. The main goal is determining if the provider's data storage system makes it easy to find the enterprise data that would be deployed there.
Jan Stafford plans and oversees strategy and operations for TechTarget's Application Development Media Group. She has covered the computer industry for the last 20-plus years, writing about everything from personal computers to operating systems to server virtualization to application development.