2. Public infrastructure as a service
2
Overview: Many companies deploy their own
applications, websites and other workloads in
public infrastructure as a service (IaaS) and
platform as a service (PaaS) solutions because it
allows for rapid access to infrastructure on
demand and can scale rapidly.
Risk: The security that comes with public IaaS
service is not complete as it fails to protect
workloads - exposing the company to compliance
failures, brand damage, fines, legal liability and
data theft.
3. Infrastructure as a service
3
Technology: There are two categories of security for public IaaS – point solutions and
platform providers.
Broader cloud-forward providers focus on the strategic capabilities that transcend any
specific cloud provider, similar to CloudPassage's software-defined security.
Point solutions only provide one or two functions; an example would be the SIEM
capabilities provided by ArcSight or Splunk.
These few technology providers offer a diverse group of security controls but all focus on
securing the workload in the cloud.
IaaS requires the ability to verify integrity of the
workload, alert to unauthorized changes, and track for
incidents of compromise – details that an IaaS provider
would be unable to ascertain but are the responsibility
of the business
4. Software as a service
4
Overview: SaaS providers offer ready-to-use
business applications that are available on
demand and can scale.
Risk: SaaS providers handle sensitive business
information, but your company is still
ultimately responsible for its data and should
perform due diligence on the SaaS providers.
With SaaS, we see common routes to data
theft through:
1. Attackers exploiting weak or poorly managed SaaS authentication mechanisms to
gain access to user accounts.
2. Weaknesses in application functionality that allow intruders to gain a foothold or
extract data.
3. Vulnerabilities of infrastructure that can be exploited.
5. Software as a service
5
Technologies: The two major focus areas for businesses to address regarding SaaS
security are data encryption and user access control.
Data encryption focuses on protecting the end-
user data within the service infrastructure with
companies like CipherCloud.
User access control focuses on stronger
authentication and more effective identity
management that collectively protects access to
a company's SaaS data, accounts and supporting
services. Examples include OneLogin, Okta and
Ping Identity.
6. Governance of cloud services
6
Overview: As companies use IaaS, PaaS and SaaS, they need to have mechanisms in
place that will track, monitor and govern the use of these services, which is critical to
companies maintaining control of information technology and protecting data assets.
Risk: Without governance, there's a lack of visibility into how company data is being
used, where it's being sent and the threats it's being exposed to.
7. Governance of cloud services
7
Technologies: The governance and utilization monitoring of cloud services is newly
emerging. Companies can monitor and set granular policies regarding employee
access to and usage of common SaaS, PaaS and IaaS providers, which allows them to
mitigate potentially risky data handling in the cloud and cloud data loss protection.
Companies can also control what can be used and done with approved cloud
services and report on utilization and activity integrated with identity and access
management. Examples of governance of cloud services include NetSkope and
Skyhigh.