I have been asked many times in the last few years about my definition of security in the cloud. I find this a question that should be answered with a question. I personally don't like it when I ask a question and the response is another question unless it is a rather broad topic and the question needs to be narrowed. In the case of the question of cloud security, the scope needs to be narrowed to discover what aspect of cloud security the asking person is interested.
My favorite definition revolves around Security as a Service; SaaS since there are a few definitions of SaaS. There is Storage as a Service, Software as a Service, and Security as a Service. There are other services offered in the cloud but for this blog we are going stay with security in the cloud.
Security as a Service as defined to me is like having a proxy server in the cloud. Whenever a user goes to the Internet, their browser is pointed to a web site. This web site is set as the only trusted site for any PC that is owned by a company. This site is like an extension to the private network of a company. Any web traffic that is entering and exiting must go through this site's security systems before being routed to the company PC. This includes; antivirus, anti-spam, anti-spyware, email, and URL filtering.
I know this may sound a lot like the security that is present at your existing network with some very convenient differences. If all of the companies PC/laptops are forced to go through the "proxy" web site regardless where they physically log onto the Internet, the security measures will always be available. An example, your company has numerous road warriors that spend minimal time at the "office" and they are going to the Internet from cellular Internet cards, hotspots, or their home cable/dsl.
When they are away from the office, all those protections that we as security professionals so painstakingly chose to stop malware are out of the picture. The user can go wherever they wish on the Internet, download whatever they want to the company computer. Many of you are thinking, have them sign a document that tells them what is allowed to be done with the company PC. I will tell you from personal experience; the end users will forget whatever they signed and do things that will put their system at risk without intentional malice.
Using Security as a Service defined as I have stated will not only limit them from being compromised but will decrease the number of Laptops that need to be re-imaged. Another benefit of SaaS is URL filtering that will not allow the users to go web sites that are listed as malicious. The security personnel will have the ability to log wherever a user went on the Internet and/or block them from using a company asset for illicit purposes.
That would be my definition of Security as a Service but there is other definitions. There are services that are offered that will manage the email for a company in conjunction with email encryption. The backup of the mail store would be part of the service so it eliminates the hardware or software maintenance. Whenever a new version of the mail system software is released the IT team can chose if and when they want to migrate to the latest and greatest.
