Cloud Security: Baked In vs. Bolted On
A frequently-raised contention in the security industry is the need for security to be "baked in," rather than "bolted on." This paradigm shift requires security by design, meaning that security considerations make up a significant part of infrastructure architecture.
What is secure architecture?
Secure architecture in the cloud is similar to what one might expect from a security infrastructure in an in-house data center. In both cases, a secure architecture would be composed of layers of hardware and software that help to reduce tampering and data loss. However, the cost of designing, implementing and maintaining a secure in-house architecture may be significantly higher than that in the cloud. Security costs in the cloud (e.g. hardware, maintenance, IT staff) may be absorbed by the cloud service provider. Furthermore, security levels are defined and determined by a number of standards, including:
- SAS70 Type II
- Payment Card Industry Data Security Standard (PCI DSS)
- Health Insurance Portability and Accountability Act (HIPAA)
Security experts are split into three main schools of thought regarding secure architecture in the cloud. These three viewpoints differ on how much responsibility the cloud service provider should take for security, as compared to how much initiative the customer should take. They are described below:
- The cloud service provider should offer rich security capabilities "baked in" to the platform itself.
- The cloud service provider should provide options for third party security service providers to allow most security capabilities to be "bolted on."
- The cloud service provider should maximize the security of the platform by focusing on API (application programming interface) security, isolation, and availability of service. The majority of security should be relegated to higher-level programmatic or application layers.
Bolted-On Security vs. Baked-In Security
According to Carlos Solari, chief technology officer at Alcatel-Lucent, "After-market, or bolt-on, security is a failed model. It's not working now and is certainly not going to work in the future when you have less and less control of these assets when they live in some third-party location. The truth of the matter is that everyone who provides technology needs to be a security firm."
The baked-in approach to security calls for significant industry changes. Baked-in security means that security is designed at the point of product creation and is hardened to a sufficient level before it is delivered to the consumer.
While a bolted-on approach to security may have been acceptable five years ago, the development of new technologies and the widespread movement to cloud computing demands a different attitude towards IT security. For a more detailed discussion on the pros and cons of baked-in and bolted-on security approaches, check out our blog post at: