06 NOV 2017

Information security and the Cloud

Cloud computing can be imagined as a new way of thinking about applications, an opportunity to free oneself from the logic of managing systems in IT environments in order to focus only on business, a set of services (provided by third parties) ready to use to manage business processes without being forced to install applications on their own systems.

There are three main approaches to the theme adopted by the major Cloud Providers:

  • Infrastructure as a Service (IaaS): The Cloud is seen as a datacenter which is external to the company or an extension of it, on which it is possible to create operating environments (generally virtual machines) where it is possible to install your software stack. The HW infrastructure is managed and supported by the single provider, but the operation is the responsibility of the user of the cloud service.
  • Platform as a Service: The Cloud provides “middleware” platforms that can be used as a basis for the implementation of its own applications. In this case the Software infrastructure management (that is the operating system, installation and maintenance of the middleware) is the responsibility of the Provider, while the configuration of the platform and the insertion of the final software is the task of the user of the cloud service.
  • Software as a Service: In this case the Provider provides complete applications that the cloud user can customize or use directly for their needs. The management of the entire application and system stack is the responsibility of the Provider.

The distinction just indicated is true both when companies want to use Cloud to build a service for their customers as well as when they want to manage applications and services functional to their own It.

 

Cloud: what are the advantages?

The “as a service” approach of the cloud has incremental advantages, as you have the opportunity to approach the SaaS model, because of the possibility of scaling your cloud operating environment without worrying about any hardware acquisitions (IaaS), it is associated with an ever greater independence from the operational tasks that simplify and make the management of the systems (PaaS) cheaper, until the management is completely delegated to the Provider (SaaS).

Another substantial advantage is provided by the “pay per use” policy typically adopted by Providers, which, thanks to the speed of activation/deactivation/scaling of cloud systems, allows exploiting (and paying for) their own environments only for the actual hours of use (a typical example is an application used only during office hours).

If we consider our company server as our car, we can immagine it in this way:

  • leasing a car to a server acquired in IaaS mode (I pay for the gasoline and I drive it, but I do not pay for car maintenance and spare parts).
  • a car sharing solution to a PaaS environment (I pay for the service for the time I use it, I drive it, but I do not worry about anything else).
  • a taxi to an SaaS environment (I ask the driver to take me from one point to another and I pay for the time).

 

Cloud, what are the main risks for company security?

One of the main risks associated with the use of Cloud is that data is no longer under the direct control of the company, nor in a context that responds to the business logic, because it is exposed to third party vulnerabilities.

The second risk is related to sale and use of data. However, European legislation has moved towards a comparative legislation valid in all Countries with the GDPR – General Data Protection Regulation.

A third risk is connected to the use of APIs, application-type interfaces that can be used to build other services on existing ones. Because the APIs are an entry point to access data, they must be secure.

Edited by Lucia D’Adamo, in collaboration with Pasquale Camastra and Alberto Caporro, supervised by Marco Pirrone