Historically, companies used to maintain their systems and networks in their own data centers or colocation facilities. Advancements in virtualization technology and Internet network speeds made it possible to host companies’ infrastructure and applications on remote, shared data centers. These changes enabled them to outsource partially or completely their infrastructure management or application development and focus on their primary business. 

Because of the benefits, more and more companies maintain their applications and infrastructure in the cloud. The term cloud refers to infrastructure or software maintained by a provider. There are several types of cloud service providers, including:

• Infrastructure-as a-Services (IaaS) – IaaS provides the company with a remote data center and remotely built virtual networks, servers, and other infrastructure components. IaaS providers include Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Services (GCS). There are other companies providing such services but these three providers are the largest. 
• Platform-as-a-Services (PaaS) – PaaS providers add another layer on top of IaaS and provide platforms that can be customized by customers to meet their needs. PaaS providers include AWS, Aure, GCP, Salesforce, VMware, and many others. 
• Software-as-a-Services (SaaS) – SaaS are shared applications that are hosted online. There are many examples of such services, including G Suite, Office 365, QuickBooks, Dropbox, etc. 

Cloud is a new approach to managing system infrastructure and applications and introduces new security and compliance risks. While most cloud providers do a pretty good job securing their services, one should never assume that the cloud providers are responsible for all aspects of security. Cloud security is a shared responsibility, so many responsibilities still belong to the customer. Different types of cloud services introduce different security and compliance risks.

IaaS providers are only responsible for the physical security of data centers and the security of the infrastructure management software. Customers have the responsibility for creating virtual networks and servers, establishing access rules, managing server patches and vulnerabilities, encrypting data, and all other security above the physical layer. Additionally, customers are also responsible for ensuring secure access to their cloud management system. 

PaaS providers reduce the share of customers’ responsibility by managing the infrastructure. However, customers are responsible for the security of applications deployed on the platform. Just like with IaaS, they set the rules for the security of access to their management platform.  

SaaS solutions require little user input.  As long as the customer appropriately manages access to a SaaS application and keeps access credentials confidential, the provider takes care of all other security checks. However, the customer must make sure that the level of security and compliance provided by the SaaS vendor is sufficient for the type of data that the customer intends to use with the service. 

For any type of cloud service, the customer must ensure that its applications and services are managed and deployed in compliance with applicable laws and regulations. The cloud vendor must have processes, people, and checks in place to conform to all necessary agreements, such as the Business Associate Agreement (BAA) required by HIPAA or the Data Processing Agreement (DPA) required by GDPR must be signed. Additionally, businesses need to have a process in place to conduct periodic reviews of the cloud provider’s security and compliance status. This can be achieved by conducting periodic reviews of the vendor’s audit reports, such as SOC 2 Type II and certifications (e.g. ISO 27001, HITRUST, etc.)

Planet 9, a San Francisco Bay Area-based organization, has experience in ensuring the security of cloud services, be it IaaS, PaaS, or SaaS. Our cloud security experts will assess your cloud management accounts and infrastructure and provide recommendations for addressing identified security and compliance gaps. Depending on the client’s internal resources, expertise, and availability, Planet 9 can perform all the remediation work, position the client to execute remediation on its own, or supplement the client’s team.