Cloud considerations

- [Instructor] These days, cloud computing seems to be the big trend within our industry. With the promise of increased availability, higher resiliency, and unlimited elasticity, the cloud definitely can provide our organizations with a lot of advantages over traditional network architectures. But cloud computing can also bring a number of unique security challenges into our environments. To better understand these, we first have to look at the different types of cloud solutions and architectures that are currently available. There are six types of cloud options, public, private, hybrid, community, multi-tenancy, and single-tenancy.

The most common type of cloud architecture is the public cloud. Under this model, a service provider makes resources available to end users over the internet. There are numerous public cloud solutions available today, including those from Google, Microsoft, and Amazon. For example, Google Drive is a public cloud service that is offered both on a free and a pay for use model. Public clouds can often be an inexpensive way for an organization to gain a required service both quickly and efficiently.

The second option is a private cloud. This service requires that a company creates its own cloud environment that only it can utilize as an internal enterprise resource. With a private cloud, your organization is responsible for the design, implementation, and operation of the cloud resources and the service that host them. For example, the U.S. government runs a private cloud for use by different organizations within the government, but my company and yours can't get access to it like we could with Google Drive.

Generally, a private cloud is chosen when security is more important than cost to the organization. A hybrid cloud solution combines the benefits of both the public cloud and the private cloud options. Under this architecture, some resources are developed and operated by the organization itself, like a private cloud would be. But the organization may also utilize some publicly available resources where it outsources services to another service provider, like a public cloud does. Because of the mixture of the private and public cloud resources, strict rules should be applied for what type of data is hosted in each portion of the hybrid cloud.

For example, any confidential information should be hosted in the organization's private cloud portion only. The fourth option is a community cloud. Under this model, the resources and cost are shared among several different organizations who have a common service need. This is similar to taking several private clouds and connecting them together. The security challenge here, though, is that each organization may have their own security controls. Remember, if you connect your network to another network, you inherit all their security risks as well.

This doesn't change just because we moved into the cloud. There are two other models that you should be aware of when dealing with cloud computing. The first is the multi-tenancy model. Under this model, the same resources are used by multiple organizations. This allows for a large gain in efficiency because most organizations don't use all of the capacity of a single server or a set of servers. But when two or more organizations share the same resource, there are some security concerns. For example, if your website is hosted on a shared server with 20 other customers, and one of those customers becomes the victim of a denial of service attack, that entire service will be undergoing the same attack.

This is just one of the dangers and risks assumed under a multi-tenancy model. To combat the risk assumed under the multi-tenancy model, there's also a single-user model called single-tenancy. Under this model, a single organization is assigned to a particular resource. Because of this, the organization's information is separated from other companies and hosted on individual use servers. Because the way this is designed, single-tenancy is much less efficient than multi-tenancy, and it also is more expensive because it requires more hardware to run properly.

So, which of the six models, or combination of these models is right for your organization? Well, that really depends on your security needs, your cost restrictions, and your risk tolerance. It's generally cheapest to use a multi-tenancy solution with a public cloud model. But this also increases the risk to your information's confidentiality and availability. As with many things we consider as security practitioners, there is no single right answer. Instead, it's our job to weigh the benefits and the drawbacks in each of these models and then decide on the right one based on our organization's needs and security concerns.