Compute Services

Five fundamentals of cloud security

Share this post:

Here are summaries of the five kinds of security a cloud platform should offer. Download the Guide Securing Cloud Platforms for the details.

1: Identity and access management (IAM)

Any interaction with a cloud platform should start with establishing who or what is doing the interacting—an administrator, a user, or even a service. Look for providers that offer a consistent way to identify and authenticate anyone accessing applications developed in the cloud.

Similary, cloud platform vendors should offer a way for developers to build authentication into their mobile and web apps to control end user access. For example, IBM® Cloud offers developers App ID as a way to do so.

Organizations that have an existing identity and access management (IAM) system should expect a cloud provider to integrate it into the cloud platform for them—after all, IAM is extremely important to knowing who did what and when.

Finally, as part of IAM, a provider should automatically log all access requests and transactions and make them available for auditing purposes.

2: Network and host security

These three technologies are crucial for maintaining network security in the cloud:

  • Security groups and firewalls—Network firewalls are essential for protecting perimeters (virtual private cloud/subnet-level network access) and creating network security groups for instance-level access. Make sure your cloud providers offer these protections.
  • Micro-segmentation—Developing applications cloud-natively as a set of small services provides a security advantage: you can isolate them using network segments. Look for a cloud platform that implements and automates micro-segmentation through network configuration.
  • Trusted compute hosts—Cloud platform providers that offer hardware with load-verify- launch protocols can give you highly secure hosts for running your workloads. Using trusted platform module (TPM) with Intel Trusted Execution Technology (Intel TXT) in compute hosts is an example how provider might fundamentally secure their platform.

3: Data encryption and key management

It’s a boot-strap dilemma of cloud platforms that encryption, to be useful, depends on keeping encryption keys from being accessed without authorization. How do you prevent administrators on a platform you don’t control from accessing your keys? Bring your own keys.

A bring-your-own-keys (BYOK) model protects cloud workloads that require encryption. In this approach, your key management system generates a key on premises and passes it to the provider’s key management service. The root keys never leave the boundaries of the key management system, and you’re able to audit all key management activities. Any platform provider serious about protecting client data should offer BYOK key management for encryption of data at rest, data in motion and container images.

4: Application security and DevSecOps

As your DevOps team members build cloud-native apps and work with container technologies, they need a way to integrate security checks without stalling business outcomes. An automated scanning system helps ensure trust by searching for potential vulnerabilities in your container images before you start running them.

However, since simply scanning registry images can miss problems such as drift from static image to deployed containers, look for a cloud vendor that also scans running containers for anomalies. For example, IBM Cloud Container Service offers a Vulnerability Advisor to provide both static and live container image scanning.

5: Visibility and intelligence

Expect full visibility into your cloud-based workloads, APIs, microservices—everything. Ask cloud providers you’re considering if they have a built-in cloud activity tracker that can create a trail of all access–including web and mobile access–to the platform, services, and applications. Your organization should be able to consume logs and integrate them into your enterprise security information and event management (SIEM) system. 

Some cloud service providers also offer security monitoring with incident management and reporting and real-time analysis of security alerts. As an example, IBM QRadar® is a comprehensive SIEM offering that provides a set of AI-empowered security intelligence solutions that can grow with your organization’s needs.

Business success on cloud platforms requires a trusted tech partner

As organizations address the specialized security needs of cloud platforms, they need and expect their providers to become trusted technology partners. Use the five fundamentals of cloud security to find a well-defended platform environment that supports fast application development without sacrificing security.

Learn what’s next for your cloud adoption.

Add Comment
No Comments

Leave a Reply

Your email address will not be published.Required fields are marked *

More Security stories

API Replacement: Secure Gateway Service for IBM Cloud

The Secure Gateway Service team is making changes to further improve security and to prepare for the EU General Data Protection Regulation (GDPR).

Continue reading

Has your team automated DevSecOps?

Adopting a container-based platform is the primary way development teams are streamlining their work. Pulling down a publicly available container image saves a lot of image preparation time. Automated toolchains also enable teams to develop and deploy innovative new apps more quickly, delivering frequent updates to customers. Safeguarding data associated with those apps is critical. […]

Continue reading

How to build confidence in cloud security

From authentication to API access, public cloud platform providers are hardening every aspect of their systems to ensure greater security and scalability. And this strategy is paying off: the number of surveyed organizations who distrust clouds dropped from 50% to 29% in a 2017 survey. But how does one gain the assurance needed to confidently […]

Continue reading