Information Technology Reference
In-Depth Information
are dynamically added and subtracted in response to changing
application load.
First of all, cloud computing leverages virtualization, which
breaks the association between application and physical server.
Consequently, assuming security can be tied to physical resources is
no longer practical. Cloud computing extends virtualization to add
dynamism—the ability for applications to rapidly change deploy-
ment topology. Moreover, user self-service (NIST Cloud Computing
characteristic Number One) means that the assumptions of extended
deployment timelines, with sufficient opportunity for security
review and implementation prior to moving an application into pro-
duction, are no longer valid.
• Pooled resources cloud computing abstracts use from assets, where
use (i.e., application operation) is not associated with a particular set
of computing resources, but instead is hosted in a general pool of
computing resources. This means that the location of specific appli-
cation components may change from time to time as loads are rebal-
anced within the resource pool. It also means that security measures
must not be associated with specific hardware, but must instead
migrate dynamically along with the application as it moves from one
set of computing resources to another.
In a pooled resource environment, no user controls the infrastruc-
ture, so the common appliance solution is not possible—after all,
one user's traffic examination appliance is another user's intrusion
threat. Consequently, the shared environment of Cloud Computing
negates many traditional security practices.
• Security deperimeterization: Because cloud applications operate in
a dynamic, shared resource pool, traditional security solutions are
often unusable. Relying on a network-attached appliance to exam-
ine all network traffic is unworkable, due to restrictions imposed
by cloud providers. Moreover, the ongoing opening up of applica-
tions to external parties like partners and customers also means that
the traditional model of imposing strong security at the data cen-
ter perimeter (i.e., relying on a restrictive firewall to prevent traffic
from reaching internal resources) is unsustainable as well. The new
model of security requires that each endpoint implements security
measures to protect itself as appropriate.
These changes, combined, mean that the traditional models of security,
governance, and compliance all change in the world of cloud computing.
In the areas of security and compliance, the cloud user and cloud provider
both hold some of the responsibility. The interface between where one par-
ty's responsibility ends and the other begins may be referred to as the trust
boundary. In its basic form, the trust boundary represents a demarcation
Search WWH ::
Custom Search