When talking about security in the public cloud, people often ask “what are the main differences between security on-premises and security in the public cloud?”
That’s a great question. I think many people believe that things change completely when you move to the public cloud. The fact is that we’ve been doing security for a long time and most of the things you know about security still apply to public cloud. You still need to address defense in depth, you still need antimalware, you still need network security controls, you still need to use secure coding practices, you still need comprehensive logging, reporting and alerting. You still need to do most of what you’re doing now.
If I had to call out two main differences between public cloud and on-premises security, I’d say they were:
- Shared responsibility
I’m going to leave the isolation for another time and focus on shared responsibility.
Shared responsibility in public cloud is related to the fact that you have a partner when you host resources on a public cloud service provider’s infrastructure. Who is responsible for what (in terms of security) depends on the cloud service model you use (IaaS/PaaS/SaaS). With IaaS, the cloud service provider is responsible for the core infrastructure security, which includes storage, networking and compute (at least at the fabric level – the physical level).
As you move from IaaS, to PaaS and then to SaaS, you’ll find that you’re responsible for less and the cloud service provider is responsible for more.
The figure below describes how shared responsibility works across the cloud service models.
We realize that this is a new approach to security for a lot of people and so we’ve come up with a white paper that will help you gain a deeper understanding of this shared responsibility for security in public cloud computing. In the paper we’ll go into more depth on each of the areas shown in the figure and help you understand what you’re responsible for and what your public cloud service provider is responsible for in each of these areas.
For more information on Shared Responsibility in the public cloud, please see Alice Rison’s post Microsoft Incident Response and shared responsibility for cloud computing.
You can also download Shared Responsibilities for Cloud Computing.