Excellium services newsletter : Cloud Security

by colinelacatena

Excellium services newsletter : Cloud Security

by colinelacatena

by colinelacatena

Cloud Computing

Cloud Computing represent the on demand delivery of IT resources over the internet. It represent a modern alternative to buying, owning and maintaining physical servers or datacentres. The use of cloud computing has change the landscape of computing as it comes with an increase in reliability, scalability and a major decrease in costs.
When talking about Cloud Computing, we can refer to one of the three options:

  • IaaS – Infrastructure as a service – that contains the basic building blocks for cloud IT by providing access to network features, computers (virtual or on dedicated hardware) and data storage capacity. IaaS gives the highest level of flexibility and management control over IT resources. It is the closest option to a classical IT infrastructure that most administrators and developers are used with.
  • PaaS – Platform as a service – this model removes the burden of managing the underlying IT infrastructure, and allows us to focus on the deployment and management of applications. With this model there is no need to worry about resources procurement, capacity planning, patching or other time and resource consuming activities.
  • SaaS – Software as a service – provides a completely working product that is run and managed entirely by the service provider. With SaaS, the focus moves from the management of the application towards management of the business, as there is no need to think how the application is configured or managed, instead, the focus shifts completely on how to use the application as best as possible.

These options can be deployed in various ways, each of them having its own characteristics:

  • Private cloud – Operated just for an organization;
  • Community cloud – Shared by several entities that have a common purpose;
  • Public Cloud – Available to the large public and owned by a single organization selling cloud services;
  • Hybrid Cloud – Any combination of private, community or public cloud services.

Although using cloud computing services comes with advantages, such as cost cutting, easier capacity planning, less workload for IT departments and so on; it can bring a burden in term of data privacy, confidentiality, governance and control over the resources.


Moving to a cloud environment or even using partial cloud solution has its benefits, but it also introduces new complex issues that few companies are prepared for, such as:

  • Adoption of a new cloud service is very easy and straight forward, however, decommissioning such an application might prove to be a hassle and, as such, more and more companies pile up cloud solution having real trouble in appropriately managing them.
  • With the implementation of a new cloud solution being so easy, virtually anybody in the company can source a new service. The problem is that not all cloud sourcing activities goes through the IT department, creating a sort of “shadow IT”, making organizations “blind” to what actually happens with their data (where it stored, process, to whom it is transmitted and so on).
  • When there are so many cloud service providers on the market, it is only normal that each (or most of) them use different solution for securing their cloud services. Juggling with more cloud service providers will prove to be a burden in term of applying a unitary approach towards information security, policy distribution and so on.

One of the major issues when adopting a cloud service is drawing the line in terms of responsibilities. Usually the cloud service provider secures the platform or the underlying infrastructure (storage and compute resources shared by everyone), but, securing the content or the data used is the duty of the cloud customer. As this might sound easy while there is only one cloud service in use, the problem arises when multiple services are needed. If these services are not integrated and interoperable over multiple (complex) environments, then we will need to implement a variety of security tools to appropriately secure these environments.

Eventually all companies rely to some extend on cloud services. Adopting a cloud solution increases the attack surface of a company and complicates the ability to appropriately address security issues such as:

  • Data breaches;
  • Lack of visibility and control;
  • Inappropriate Identity and Access management;
  • Account hijacking;
  • Insecure interfaces and API’s;
  • System vulnerabilities;
  • Data loss;
  • Inappropriate due diligence, and many more.


Addressing the challenges above, must be done in a consistent but delicate manner. Performance cannot and must not be sacrificed for security. Organizations should seek to find a balance between using on demand cloud services and enforcing consistent controls, policies and procedures. This requires finding a security solution compatible with cloud and automation to help organizations advance as fast as possible while keeping also an adequate security level.

Securing the cloud requires a new approach towards information security. Legacy security solutions do not function natively on a cloud environment and thus need to be replaced with newer solutions that can effectively work across physical and cloud environment. In the end, organizations need to break up security management from data classification in order to be able to appropriately classify all resources regardless of the infrastructure they are running on (classic or cloud) as seaming less as possible.

The more the security solution can easily integrate cloud-based services, the more secure the organization will be.


There can be no question that cloud computing was, is and will be a game changer for many organizations. However, just using a cloud solution does not solve security problems. Organizations still need to take responsibilities for setting and monitoring its own attack surface and have rules for dealing with vulnerabilities. Even more, organizations are ultimately responsible for setting service transparency, visibility and evaluation methods before any cloud supplier is contracted.