(This article was written by Douglas Paris-White and first appeared on the IBM Cloud Blog)
Here are summaries of the five kinds of security a cloud platform should offer.
1: Identity and access management (IAM)
Any interaction with a cloud platform should start with establishing who or what is doing the interacting—an administrator, a user, or even a service. Look for providers that offer a consistent way to identify and authenticate anyone accessing applications developed in the cloud.
Similary, cloud platform vendors should offer a way for developers to build authentication into their mobile and web apps to control end user access. For example, IBM® Cloud offers developers App ID as a way to do so.
Organizations that have an existing identity and access management (IAM) system should expect a cloud provider to integrate it into the cloud platform for them—after all, IAM is extremely important to knowing who did what and when.
Finally, as part of IAM, a provider should automatically log all access requests and transactions and make them available for auditing purposes.
2: Network and host security
These three technologies are crucial for maintaining network security in the cloud:
- Security groups and firewalls—Network firewalls are essential for protecting perimeters (virtual private cloud/subnet-level network access) and creating network security groups for instance-level access. Make sure your cloud providers offer these protections.
- Micro-segmentation—Developing applications cloud-natively as a set of small services provides a security advantage: you can isolate them using network segments. Look for a cloud platform that implements and automates micro-segmentation through network configuration.
- Trusted compute hosts—Cloud platform providers that offer hardware with load-verify- launch protocols can give you highly secure hosts for running your workloads. Using trusted platform module (TPM) with Intel Trusted Execution Technology (Intel TXT) in compute hosts is an example how provider might fundamentally secure their platform.
3: Data encryption and key management
It’s a boot-strap dilemma of cloud platforms that encryption, to be useful, depends on keeping encryption keys from being accessed without authorization. How do you prevent administrators on a platform you don’t control from accessing your keys? Bring your own keys.
A bring-your-own-keys (BYOK) model protects cloud workloads that require encryption. In this approach, your key management system generates a key on premises and passes it to the provider’s key management service. The root keys never leave the boundaries of the key management system, and you’re able to audit all key management activities. Any platform provider serious about protecting client data should offer BYOK key management for encryption of data at rest, data in motion and container images.
4: Application security and DevSecOps
As your DevOps team members build cloud-native apps and work with container technologies, they need a way to integrate security checks without stalling business outcomes. An automated scanning system helps ensure trust by searching for potential vulnerabilities in your container images before you start running them.
However, since simply scanning registry images can miss problems such as drift from static image to deployed containers, look for a cloud vendor that also scans running containers for anomalies. For example, IBM Cloud Container Service offers a Vulnerability Advisor to provide both static and live container image scanning.
5: Visibility and intelligence
Expect full visibility into your cloud-based workloads, APIs, microservices—everything. Ask cloud providers you’re considering if they have a built-in cloud activity tracker that can create a trail of all access–including web and mobile access–to the platform, services, and applications. Your organization should be able to consume logs and integrate them into your enterprise security information and event management (SIEM) system.
Some cloud service providers also offer security monitoring with incident management and reporting and real-time analysis of security alerts. As an example, IBM QRadar® is a comprehensive SIEM offering that provides a set of AI-empowered security intelligence solutions that can grow with your organization’s needs.
Business success on cloud platforms requires a trusted tech partner
As organizations address the specialized security needs of cloud platforms, they need and expect their providers to become trusted technology partners. Use the five fundamentals of cloud security to find a well-defended platform environment that supports fast application development without sacrificing security.