When considering cloud security, it’s important to remember that most, if not all cloud service providers operate a policy of ‘shared responsibility’. This means that the cloud provider takes responsibility to secure the stack they provide, while the consumer takes responsibility for securing the applications they build. In the case of IBM Cloud Infrastructure as a Service, following diagram illustrates this:
Measures proportionate to risk of loss
Security is often about risk management. We need to think about exposure to risk. The security controls we put in place mitigate those risks and the measures taken should be proportionate to the ‘object’ that is subject to the risk. For example, think about how you would secure $100 as opposed to $100,000. You’d probably be comfortable to leave $100 in your locked house and maybe not even give it a second thought. However, you might want a safe to store $100,000 or more likely, put it in a bank. If you were out in public, you would conceal the $100 in a purse or wallet and keep it out of sight, while you’d consider hiring a security firm to transport $100,000.
Why the different behaviors? Well, in each scenario, the risk changes, so you act accordingly. In both cases, you spend more and take more care to protect the higher value amount of money because the potential loss is greater. The same principles apply to IT – the way that systems and data are secured will depend on the potential loss (including damage to the business) and associated costs to mitigate the risk. In the cloud, Public cloud presents different challenges to private cloud.
I mentioned ‘shared responsibility’ earlier. As a provider of secure cloud services, IBM takes its responsibilities very seriously. Measures are taken to ensure the security of the underlying platform, based on certifiable industry standards. These include both physical protections (such as locks on data centre doors) as well as non-physical protections (such as intrusion detection software).
However, because every application has a different set of security requirements, users are responsible for securing the applications and infrastructure that they create or provision on the platform. For example, because one configuration does not suit all, IBM Cloud does not provide a particular operating system lock-down. If there are operating system services which a customer’s security team see as a risk, it is the customer’s responsibility to enforce that policy and shut them down. Similarly, while IBM Cloud provides network protection, ultimately, the user must ensure that their own systems are adequately secured and protected by one or more correctly configured firewalls which they provision. If securing data at rest and / or in transit is a major concern, the customer must then ensure that they are using the appropriate storage service.
The IBM Cloud offers a variety of services which suit different needs, including services which are particular to security. For example, several types of firewall for different scenarios are offered, enabling the user to choose the best solution to meet their own requirements.
To find out more about IBM Cloud’s security, check out a paper that I created describing how how IBM Cloud meets security principles laid out by the UK’s National Cyber Security Centre (NCSC),at this link.