Cloud Stacks: Please Mind The Gap

By Craig Balding

MIND THE GAP

Security gaps creep in when people think "other people are taking care of it".

When a security practitioner assesses a complex system, they’ll look at the ‘hand offs’ between different players within the system.  In fact, if they’ve been in the game for a while, they’ll apply laser sharp focus to where the responsibilities of one party ends and another party begins.  In other words, they’ll be searching for the security gaps, the security ‘no-mans land’.   This is a dark place where - as a good friend of mine puts it - “the bad stuff” gets in and the “good stuff” doesn’t flow.

If you’ve ever performed a security review of an outsourced IT system, you’ll know exactly what I mean.

In the context of Cloud Computing then, who takes responsibility for what?

As a customer of the Cloud, you or your company may strike an agreement with a company perched atop the Cloud.  They provide you with Software as a Service (SaaS) or some other form of high level, end-user service.  Your service agreement and/or contract will define what you can expect from them and what they expect from you.

However, to deliver the service to you, they rely on other Cloud providers further down the stack.  In fact, at any level in the Cloud Stack, it could be multiple players providing the service *they* rely on; e.g. Cloud Storage, Cloud Compute, Cloud Security (?). 

These providers in turn depend upon other service providers at the next layer down in the Cloud and so on.

See where I’m going with this?

This is a new game I’m going to call “Join the Security Dots in Cloud Land“.

And even then it isn’t as simple as I’ve presented it.

To end this post I’m going to ask a question to readers of this blog that provide a service on top of the Cloud (I have logs, I know you’re out there ;-):

What *security* arrangements do you have in place with Cloud Service Providers you rely on to deliver your service?  What are you doing to build “trust in depth” in the Cloud?

To clarify, I’m not asking you to spill your secret sauce on the Cloud Security alter - rather I want to hear what you are doing for your customers to build assurance (and I don’t mean ‘fluffy’ clouds ;-).

Personally, I think this will be one of the keys to selling Cloud Services to Enterprise customers.