Despite its positive attributes, public cloud computing forces subscribers to make a choice between the level of security in their private data centers and the level of security attainable in the cloud. The underlying reason is that by necessity, cloud security ownership is shared ownership.
As shown in the following illustration, securing workloads in the cloud spans multiple parties: the data center owner/operator, the cloud services provider and the cloud subscribers. Further, the subscriber’s security ownership, by design, varies by the type of cloud computing service -- including Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and with the least amount of subscriber ownership, Software as a Service (SaaS).
Attaining uniformity in security and compliance when multiple parties are involved is a non-trivial challenge all by itself. But when the enterprise is a subscriber of multiple cloud providers, the challenge is exacerbated. Furthermore, it is not uncommon for cloud subscribers to maintain private, on-premises data centers, too. In this hybrid setting, cloud subscribers use one administrative interface to manage security in their private data centers and another for their cloud instances, resulting in greater administrative complexity and vulnerability to security inconsistencies than if there were a single administrative interface.
For its part, the security industry has already introduced some cloud security solutions and will be introducing more options that help cloud subscribers mitigate the tradeoff between the security and compliance they need and the cloud computing benefits they want.
The approaches to the solution fall into three categories.
· On-premises security extension. In this approach, espoused recently by SafeNet with its Trusted Cloud Fabric, the enterprise extends the capabilities of on-premises security products into providers’ public cloud environments. This approach has several positive attributes, including centralized administration and reporting, the ability to reuse product knowledge by the enterprise’s security personnel, and extensibility into hybrid and multicloud provider environments.