Cloud Security: Baked In vs. Bolted On
A frequently-raised contention in the security industry is the need for security to be "baked in," rather than "bolted on." This paradigm shift requires security by design, meaning that security considerations make up a significant part of infrastructure architecture.
What is secure architecture?Secure architecture in the cloud is similar to what one might expect from a security infrastructure in an in-house data center. In both cases, a secure architecture would be composed of layers of hardware and software that help to reduce tampering and data loss. However, the cost of designing, implementing and maintaining a secure in-house architecture may be significantly higher than that in the cloud. Security costs in the cloud (e.g. hardware, maintenance, IT staff) may be absorbed by the cloud service provider. Furthermore, security levels are defined and determined by a number of standards, including:
- SAS70 Type II
- Payment Card Industry Data Security Standard (PCI DSS)
- Health Insurance Portability and Accountability Act (HIPAA)
Opposing viewpointsSecurity experts are split into three main schools of thought regarding secure architecture in the cloud. These three viewpoints differ on how much responsibility the cloud service provider should take for security, as compared to how much initiative the customer should take. They are described below:
- The cloud service provider should offer rich security capabilities "baked in" to the platform itself.
- The cloud service provider should provide options for third party security service providers to allow most security capabilities to be "bolted on."
- The cloud service provider should maximize the security of the platform by focusing on API (application programming interface) security, isolation, and availability of service. The majority of security should be relegated to higher-level programmatic or application layers.