If I asked you what security products you had in place to manage your risk within your IT organisation 10 years ago, you’d probably have been able to list a half dozen different tools and confidently note that most of your infrastructure was covered by a common set of key products such as antivirus, DLP, firewalls, etc. But in a world with IaaS, PaaS and SaaS, maintaining a comprehensive approach becomes far more difficult.

Whilst many hosted services have overlapping functionality and thus may share specific security requirements, most will typically limit your control of the underlying components to some degree in an effort to reduce the overall management overhead. (This is, in effect, the benefit of paying for a service rather than hosting your own instances, after all, and part of the flexibility gained from the various different service offerings available on the market today.) As a result, many will require a completely different method of assessing security and compliance.

If you’re only just getting started with cloud services or are diversifying your cloud service offerings, it’s important to consider your security/compliance requirements for each and every type of service added to your portfolio. For those who haven’t been knee deep in these abbreviations, let’s take a look at the three common service offerings and their associated security requirements.

IaaS (Infrastructure as a Service)

IaaS (Infrastructure as a Service) is, in effect, where a cloud provider hosts the infrastructure components traditionally present in an on-premises data center including servers (operating systems), storage and networking hardware as well as the virtualization or hypervisor layer.

From a security perspective, this offering is probably the closest to traditional in-house IT infrastructure, (Indeed, many companies will effectively move existing server payloads to IaaS either partially or completely resulting in a hybrid (Read more...)