A common misperception is that moving your business to the cloud obligates the cloud provider to take care of everything. However, a substantial amount of work is still shared by both sides.
The division of labor and responsibilities is less of an issue for enterprise companies with built-in IT support. But for small and medium-sized businesses (SMBs), many are surprised by the amount of work they still must cover with limited resources. For example, many organizations mistakenly believe that a cloud service provider (CSP) will take care of all things related to security.
It’s important that businesses and organizations understand their roles and responsibilities when moving to the cloud with an environment such as an Infrastructure as a Service (IaaS).
This division of labor covers several areas. Let’s run through a few of these starting with the customer’s duties.
Customer Roles and Responsibilities
In this section, I discuss three key customer roles and responsibilities.
- Controlling Identity and Access Management (IAM)
As the name suggests, IAM covers two areas:
• Identity: Who is the user? How do we authenticate this user — via a password, by an alternative challenge?
• Access: After the users are authenticated, what can they do?
With a cloud management platform, it is important that users have access to only the functions they need to carry out their jobs. When new users are experimenting with the cloud, it is easy for them to do everything from the outset as an administrator, even as the root user. This action is dangerous and makes it is impossible to track and audit user activity. In some cloud-based environments, retrofitting settings once the administrator creates them is difficult. Likewise, providing administrators with complete access without checks and balances is also dangerous.
One way to tackle this challenge is through a least privilege approach, whereby a user’s access rights can be elevated for a short time to carry out a set of tasks. Once the tasks are completed, you can set them back to their normal privilege levels.
- Maintaining the Operating System, Antivirus Software and Backups
When deploying virtual machines, CSPs will usually provide a catalog of the most recent operating system templates, including Windows or Linux. The customer is responsible for keeping these operating systems patched and up-to-date.
Similarly, the customer has to determine what, if any, antivirus or anti-malware solutions the CSP provides in the template or as an option. It is important to note that just being in the cloud does not remove the need for antivirus solutions. Many CSPs provide these solutions at the hypervisor layer to prevent scans from affecting the performance of virtual machines (VMs).
Just as important as security software is the need for backups. Even if the CSP provides redundant storage to protect against storage subsystem failures, that will not protect you against data loss through accidental deletion, corruption or ransomware. So, check what backup solutions are available, what the retention periods are, how often backups are taken and where the data will be stored.
- Oversee Middleware, Runtime, Application and Data Processes
Customers have to manage and control all aspects of the middleware, runtime, application and data in an IaaS cloud environment. A cloud-based environment must be architected to provide the network security and data storage required by the application. As with all IT implementations, this needs to be sufficient for the business’s requirements.
As new data protection legislation, such as the General Data Protection Regulation (GDPR), is introduced, it is important to classify the data stored and provide sufficient controls to protect the data from malicious access. For example, databases should be hosted on secure back-end networks. Only the relevant protocols should be allowed access via the firewall. It also might be necessary to further lock access down by source IP address. Data may need to be encrypted. Only database administrators should be allowed access.
Cloud Provider Responsibilities
In this section, I discuss three key responsibilities of CSPs.
- Enabling Customers Through Virtualization
Virtualization is a key technology that enables cloud computing. Cloud management platforms enable the self-service capabilities that we know as cloud, from the VM (central processing unit [CPU] and random-access memory [RAM]) and storage to the complex virtual networking provision.
Virtualization and cloud management platforms make it extremely easy for customers in a cloud-based environment to self-provision VMs, storage and virtual networking.
Some cloud providers use instance or “t-shirt sizes” (small, medium, large), whereas other providers allow customers to provision VMs of any size and simply bill on the actual consumption of CPU and RAM by using resource pools. These VMs can be resized depending on requirements from week to week. Customers can add or remove CPU and RAM as required.
Similarly, customers can provision storage using different storage capabilities, such as disk, solid-state drives (SSDs) or SSD/cache-accelerated.
From a virtual networking perspective, customers can self-provision networks based on virtual local area networks (VLANs) or virtual extensible LANs (VXLANs), allowing them to securely share the underlying physical networks. In addition to using the public Internet, customers can take advantage of high-speed private networks using Multiprotocol Label Switching (MPLS) or leased lines to connect back to their on-premises environments.
When you are architecting a solution to run in the cloud, the same principles you use on-premises still hold true. It is easy to create a demilitarized zone (DMZ) and then internal networks, which may or may not have access to the Internet, and create firewall and routing rules between the various networks.
Typically, CSPs provide customers with an edge firewall or router to use to access the Internet. A self-service interface enables them to create firewall rules, as well as network address translation in both directions (Source Network Access Translation [SNAT] and Destination Network Access Translation [DNAT]). Edge gateways can also be used for Internet Protocol security (IPsec) site-to-site virtual private networks (VPNs), Secure Sockets Layer (SSL) client VPNs and simple load balancing.
For additional security, other virtual security appliances can be deployed to provide additional functionality. Examples include virtual firewalls (deep packet inspection), web application firewalls and complex load balancers.
- Provide Solutions via a Cloud Management Platform
Before cloud was a viable option, many service providers offered virtualized solutions to customers, but typically the virtualization was not designed to be multi-tenanted.
The advent of cloud management platforms, together with orchestration and automation solutions, has enabled cloud services to provide IaaS, Platform-as-a-Service (PaaS) and Software-as-as-Service (SaaS) solutions.
Multi-tenancy is the ability to carve up resources on a shared environment, with networking and security services. This capability provides the economies of scale that cloud delivers, while also ensuring tenants cannot access each other’s services without permission.
Management of a Physical Location
Starting at the bottom of the stack, it is worthwhile to spend a moment discussing the physical aspects of cloud computing. With on-premises implementations, the customer is responsible for everything, including the security, power, cooling and networking of the physical data center or computer room. When a business works with a CSP, however, that work is taken over.
Regarding the cloud, in most cases, the CSP is leasing space from a data center provider. So, customers should ask these questions:
• Where is the data center? Whose data center is it? Are there several locations?
• How secure is it? What about perimeter security, closed-circuit television (CCTV) or entry systems?
• What industry accreditations does the data center provider have?
• Can you visit the data center?
• What provisions are there for power, cooling or networking?
• How resilient are all these things?
Equally, for the CSP, they should ask the customer these questions:
• What industry accreditations do you have for your processes and compliance?
• What service-level agreements (SLAs) do you provide around availability, performance and support?
• Who has access to my cloud environment?
• Will the data stay in the locations I have selected? Could it be moved or copied elsewhere, perhaps out of country?
- Maintain Security and Compliance
Most enterprise organizations have built up compliance teams over recent years, especially in the heavily regulated industries. These teams have to attain certifications or attestations. CSP organizations will need the same levels of compliance and security, but it is often difficult to achieve when working with public cloud providers who are trying to be all things to all people.
The provider should also offer on-demand Compliance as a Service for customers and audit control alignment to tailor compliance reporting for individual customers.
While each side has its own roles and responsibilities, the division of labor never rules out the need for mutual accountability. Work with your cloud provider to establish expectations and constantly monitor activities on both sides to make sure both teams are delivering.
Richard Stinton is an Enterprise Solutions Architect for the iland Europe, Middle East and Africa (EMEA) business and has more than 30 years’ experience in the IT industry, most recently in the cloud space with iland, Microsoft Azure and VMware. Starting out in engineering computer-aided design/computer-aided manufacturing (CAD/CAM) and geographic information system (GIS) systems at McDonnell Douglas and EDS, he moved to mainstream IT and systems/service management at HP, BMC Software and Mercury Interactive before joining VMware in its early days. Richard has a breadth of experience, having worked in customer support, sales, partner management and product marketing. In his current role, Richard works with customers to implement and optimize cloud technologies.