Many see cloud computing as one huge monolithic wave sweeping through the business world. However, there are many different types of clouds, and the risks -- and methodologies needed to address them -- varies as much as the cloud models themselves. Vordel's Mark O'Neill, writing in Computing Technology Review, dissects the differing security issues in Software as a Service (SaaS), Platform as a Service (PaaS) and Infrastructure as a Service (Iaas):
Software as a Service (SaaS): Issue #1 here is password management. Since SaaS delivers applications from the cloud, the main risk is likely to stem from multiple passwords accessing applications, O'Neill says. "An organization can solve these issues by opting for a single sign-on option between on-premise systems and cloud. By leveraging a single sign-on option, users are able to access both their own desktops and any cloud services via a single password.... This approach also reduces the incidences of dangling accounts – which are vulnerable to unauthorized usage – after users leave organizations."
Platform as a Service (PaaS): Issue #1 here is data encryption. PaaS can be inherently secure, but the risk is slow system performance. That's because data encryption is recommended before data is sent to PaaS cloud providers, O'Neill says. The risk is that encrypting every piece of data will also eat up consumer organizations' CPU cycles and slow things down. Still, any solution implemented should broker the connection to the cloud service and automatically encrypt "confidential user data such as home addresses, social security numbers or even medical records."
Infrastructure as a Service (IaaS): Issue #1 here is rogue users. IaaS focuses on managing virtual machines, and the risks are little different than with other cloud types -- here, the main risk is rogue or unwarranted commandeering of services. IaaS requires governance and usage monitoring, and O'Neill recommends that enterprises establish cloud service governance frameworks that help prevent employees accessing information or services they are not permitted to use. "It also prevents them from running up costs on virtual machines or setting up their own accounts to access services paid for by the organization," he says.