Cloud Security Architecture

Abstract

Cloud is not a new concept, cloud has been around for quite a number of years already, but the adoption has increased and with that the need for cloud specific governance, guidelines, architectures and security principles. As the cloud could be consumed in many different ways and in some scenarios perhaps even without understanding the ramifications of purchasing a cloud based solution like a Software as a Service (SaaS) application, a Platform as a Service (PaaS) to build upon or even an Infrastructure as a Service (IaaS) based virtual machine. As the cloud is, by design, so easy to consume it introduces new type of risks such as spinning up a Virtual Machine (VM) for testing and leave it accessible over the internet with a poor or no password protection for example. In order to secure an organizations cloud journey some steps ideally should have been done prior to beginning of said journey. Commonly it is however done the other way around where an organization is already consuming cloud and only after that starts to think about the security aspects of it. Some guardrails and security standards are ideally applied prior to an organization starting their cloud journey to be prepared for the cloud and ensure that the cloud estate remains secure and compliant. It is for that purpose that a reference cloud security architecture was created, introduced and applied across the organization’s cloud estate to ensure the applicability of the created architecture. Creating such an architecture could have been approached by modernizing something already existing or starting from scratch and creating almost like a cloud native security architecture. The question was however are there differences between an non-cloud and a cloud security architecture. Be it as it may, the architecture, as the cloud itself, is never done as it must be adapting and conforming to the evolution of the cloud when required. Reasons for a change in the architecture could arise from the cloud platform or platforms evolving, new regulatory requirements or additional compliance requirements introduced. Constructive research method was chosen as the methodology to be used in the research and creation of the reference architecture. Constructive research method is a type of a case study, where the outcome is tested and can be iterated to fit the purpose. When the architecture was created it was tested with the three most common cloud consumption models, IaaS, PaaS and SaaS. The application of the architecture was succesfull and the architecture was deemed functionalm applicable and ready for production use. It turned out that a non-cloud and cloud security architecture were very much alike, all the same core elements were there but the importance and impacting aspects were shifted with concepts such as the shared responsibility model having a bigger impact.