In this, the final post in my series on considerations for managing your security with cloud services, we will be looking at Infrastructure as a Service (IaaS). If you haven’t yet read the previous blog entries about SaaS and PaaS, it’s worth going back to read these first, as much of the thinking associated with these services is also true for IaaS.

Infrastructure as a Service

IaaS is (or can be, depending on what exact services you chose to purchase) the closest thing to traditional on-site IT infrastructure. IaaS provides you with cloud-hosted servers/network infrastructure upon which you run your own software and configurations. The most common examples that people consider when they think about IaaS include AWS ECS2 and Azure’s server infrastructure, but it could equally be backup/storage or virtualised networking infrastructure.

Due to the similarity with on-premises infrastructure, a lot of the existing security processes might be appropriate. A traditional antivirus or patch management tool, for example, may support usage in the cloud, but that doesn’t necessarily mean that your existing security processes can be applied directly.

IaaS Specific Challenges

One of IaaS’s most significant differences is elasticity, which gives the ability to create new devices ‘on-the-fly’. There are significant advantages to be had by being able to spin up new virtual servers with a predefined configuration and then dynamically remove them when you’re done.  Most people associate this elasticity with scaling up cloud infrastructure to support web front ends, but it’s just as likely to be powering up a virtual desktop infrastructure (VDI) where clients may access their data/applications when needed. This non-persistence, however, could prove to be a significant challenge to your existing security tools.

The first key thing to identify is if your tooling supports an elastic model of machine creation. (Read more...)