The cloud has become an integrated part of today’s networks. In this video, you’ll learn about various cloud delivery models and how to manage cloud security policies.
<< Previous Video: Wireless Network Technologies Next: An Overview of DNS >>
At this point, many of us have taken advantage of software as a service, or SaaS. This is on demand software. So if you didn’t want to run your own mail server, you could effectively outsourced that functionality to a third party that provided you with software as a service. Many organizations also do this for payroll. So you don’t have to have your own server running your own payroll software. You simply use a third party to do the payroll, using their software as a service.
An important aspect of software as a service is that everything is located in the cloud, so all of the applications that are running on external servers, and all of your data is being stored on that external cloud based service. Usually software as a service is something that’s very turnkey. You simply log on to the system, and all of it is available for you to use.
Good example of this. For example, might be Google mail, where you simply log in with your Google log in, and your entire mailbox and everything you need is ready to go. Infrastructure as a service, or IaaS, is when you’re provided all the hardware, and then it’s up to you to make everything else happened. This is sometimes referred to as hardware as a service, because you’ve outsourced the hardware, but you’re handling all of the operating systems, all of the management of the devices and all of the security of your data.
With infrastructure as a service, all of your data is still out in the cloud, but you have a little bit more control about how that data is used. Many web server providers provide infrastructure as a service where they will provide you with a system and maybe an operating system, and then it’s up to you to load all of the other software and applications you need on that infrastructure as a service.
Platform as a service, or PaaS, is one that also has no physical servers in your environment. You don’t have to maintain any software. You don’t have to have a maintenance team or a data center with some HVAC. Someone else is handling the platform in the cloud, and you handle all of the development processes.
As with software as a service, the platform as a service environment is handled by a third party. You’re not responsible for keeping the systems running or maintaining the operating system. There’s trained professionals that are in charge of watching over all of your systems and making sure that everything is secure.
Unlike software as a service, a platform as a service offering is one that’s giving you a sandbox where you can build your own applications. They’re usually providing you with modular building blocks that you could use to put together the perfect application for your use. A popular example of platform as a service is the one provided by salesforce.com that allows you to take all of the modular pieces that are available on their platform and build your custom application.
There are many different ways to build a cloud. If you wanted to put together your own data center with your own cloud based systems, you would be effectively creating a private cloud in your own virtualized data center. If you’re using a third party data center, then you’re probably using a public cloud that’s available to everyone on the internet. And if you had a combination of a private and a public cloud, we refer to this as a hybrid cloud deployment model. There’s also the community cloud deployment model, where many different groups will get together and as a community share the exact same resources in that single cloud.
In a traditional deployment model, all of the hardware was private, it was in your own data center, and it was on your premise. You had complete control of all of the hardware, all of the software, and the location where all of that information was located. With hosted resources, all of your hardware, all of your data, and all of your applications are running on a third party system that are located outside of your building. You’re usually running this on hardware provided by the third party, and it’s usually a specialized application that’s running on that system.
Cloud based resources are much more modular. You can build out application instances and tear them down instantly. As you need more resources, more CPU time, more memory, more disk space, you can simply request that from the cloud and allocated to your application. If we’re using an application that’s located somewhere physically different than where we happen to be, there’s probably a significant security concern about that communication.
If you’re using a browser based application, it’s common to use SSL or TLS encryption to be able to have an encrypted tunnel between your device and the application. If you have an entire site of people that need secure access into this cloud based application, you may want to enable VPN connectivity where you create an entire tunnel for everyone to use to communicate back and forth to the cloud based system. This type of implementation commonly needs some additional firewalls or dedicated hardware to provide the VPN, and you have to coordinate that VPN connectivity with the third party cloud provider.
And if security is the utmost importance, you may want to have all of that cloud based instance occur inside of your own facilities, and you’ll have a direct connection, usually a high speed connection, into your own private cloud. As with most applications, there’s usually a very important security component associated with the app. You have all of these clients that are working with this application, but all of the data may be located outside of your facilities in the cloud. You’ve created some very specific security controls, but how do you apply those controls to data that may be located somewhere else?
In those situations, you may want to implement a CASB. This is a cloud access security broker, and it may be implemented as software that you have on everyone’s client device. You may have appliances that sit between the clients and the cloud. Or there may be facilities in the cloud itself that allow you to provide these additional security controls.
There are four main characteristics of a CASB. The first would be visibility. You need to know exactly what applications people are using in the cloud, and you want to be sure that the right people have the right authority to use those applications. If you’re working with medical information or credit card information, then there are probably also some significant compliance requirements. If you want to be sure your users are complying with HIPPA or PCI requirements, then you want to be sure you have the CASB in place.
Since the applications and the data are in the cloud, they may be accessible by others. So a CASB will allow you to provide threat prevention. Make sure that only authorized users gain access to this application and this data. And of course, there will be data transferred between your facility to the cloud and back again. So you want to be sure that all of that data is sent over encrypted channels. And if anyone is sending any personally identifiable information, you want to identify that and provide some type of security controls in the form of data loss prevention.