Five security services every cloud platform should provide
Here are summaries of the five security services and enterprise security management a cloud platform should offer.
1: Identity and access management (IAM)
Any interaction with a cloud platform should start with establishing who or what is doing the interacting—an administrator, a user, or even a service. Look for providers offering a consistent way to identify and authenticate anyone accessing cloud applications, as part of their package of security services.
Similary, cloud platform vendors should offer a way for developers to build authentication into their mobile and web apps to control end user access. For example, IBM® Cloud offers the security service App ID to developers.
Organizations that have an existing identity and access management (IAM) system should expect a cloud provider to integrate it into the cloud platform for them—after all, IAM is extremely important to knowing who did what and when.
Finally, as part of IAM, a provider should automatically log all access requests and transactions and make them available for auditing purposes.
2: Networking security and host security
These three technologies are crucial for maintaining integrity in your network of security services:
Security groups and firewalls—Network firewalls are essential for protecting perimeters (virtual private cloud/subnet-level network access) and creating network security groups for instance-level access. Make sure your cloud providers offer these protections.
Micro-segmentation—Developing applications cloud-natively as a set of small services provides a security advantage: you can isolate them using network segments. Look for a cloud platform that implements and automates micro-segmentation through network configuration.
Trusted compute hosts—Cloud platform providers that offer hardware with load-verify- launch protocols can give you highly secure hosts for running your workloads. Using trusted platform module (TPM) with Intel Trusted Execution Technology (Intel TXT) in compute hosts is an example how provider might fundamentally secure their platform.
3: Data security: encryption and key management
It’s a boot-strap dilemma of cloud platforms that encryption, to be useful, depends on keeping encryption keys from being accessed without authorization. How do you prevent administrators on a platform you don’t control from accessing your keys? Bring your own keys.
A bring-your-own-keys (BYOK) model protects cloud workloads that require encryption. In this approach, your key management system generates a key on premises and passes it to the provider’s key management service. The root keys never leave the boundaries of the key management system, and you’re able to audit all key management activities. Any platform provider serious about protecting client data should offer BYOK key management for encryption of data at rest, data in motion and container images.
4: Application security and DevSecOps
As your DevOps team members build cloud-native apps and work with container technologies, they need a way to integrate security checks without stalling business outcomes. Therefore, they should use an automated scanning system to search for potential vulnerabilities in your container images before you start running them using
Because simply scanning registry images can miss problems like drift from static image to deployed containers, look for a cloud vendor that also scans running containers for anomalies. For example, IBM Cloud Container Service offers a Vulnerability Advisor to provide both static and live container security through image scanning.
5: Visibility and intelligence
Expect full visibility into your cloud-based workloads, APIs, microservices—everything. Ask cloud providers if they have a built-in cloud activity tracker that can create a trail of all access–including web and mobile–to the platform, services, and applications. Your organization should be able to consume logs and integrate them into your enterprise security information and event management (SIEM) system.
Some cloud service providers also offer security monitoring with incident management, reporting and real-time analysis of security alerts. IBM QRadar® is a comprehensive SIEM offering that provides a set of AI-empowered security intelligence solutions that can grow with your organization’s needs.
Business success on cloud platforms requires trust in security services
As organizations address the specialized security needs of cloud platforms, they need and expect their providers to become trusted technology partners. Use the security guide to find a well-defended platform environment supporting fast application development without sacrificing security.