Public cloud services can normally be accessed by anyone in possession of a credit card. For some services, an email address is all that’s required to access free trial versions.
So, if you are using public cloud service, you have to accept that your adversaries can legitimately purchase a service ‘next door’ to yours.
In such instances, you probably want a high level of confidence in the controls separating your data from that of others.
Community cloud services host users from a specific community, such as the public sector.
These communities often have a shared risk appetite and generally expect members to conform to an agreed minimum standard or legal agreement.
Community cloud providers can often tailor their offerings to match community requirements. For example, a service provider could choose to meet specific UK government standards for personnel security screening, or conform to the required standard to connect to a government community network. These tailored offerings can sometimes reduce risks relating to one or more of the cloud security principles.
Private cloud services are deployed to support a single organisation. They normally offer the ability to tailor the architecture to meet specific security and business requirements. For example, if all consumers of the service are well known and low risk, then the level of assurance in separation required may be low.
For processing untrusted (possibly malicious) or very sensitive data you may require higher confidence in the separation controls. You will need to manage, monitor and maintain the infrastructure, unless an agreement exists with the cloud service provider to do this.
In many situations a private cloud service will operate within a single security domain (for example providing a virtual desktop, or test and development resources). In such scenarios, the cloud platform is simply another part of the enterprise IT environment and should be configured, managed and monitored as such.
Infrastructure as a Service (IaaS)
Offerings implemented using hardware virtualisation and leading virtualisation products can provide a good level of separation between workloads and data in community and public cloud platforms.
However, like all complex software, IaaS offerings will never be free from vulnerabilities and the risks that these bring.
IaaS services also have a much greater burden on the user to configure and operate well.
Platform as a Service (PaaS)
PaaS offerings tend to have a larger attack surface than IaaS offerings since the separation between users is normally provided in higher level software rather than by a hypervisor. Community cloud PaaS offerings may provide some additional comfort for users where an acceptable use policy is in place that has been designed to reduce the risk of malicious workloads.
PaaS technologies are evolving rapidly and you should regularly verify that your platform choice meets your business and security needs.
Software as a Service (SaaS)
SaaS offerings tend to implement separation at a higher level than both IaaS and PaaS, meaning the potential attack surface for a would-be attacker is much greater.
Unless architected well these services will often present a potentially higher risk than deploying software packages for a dedicated user within an IaaS or PaaS service.