Infrastructure as a service, sometimes referred to as “hardware as a service” – IaaS and HaaS, respectively – is the most impactful computing paradigm to emerge since the boom of the internet and the growth of “as a service” delivery models. Alongside software as a service and platform as a service – SaaS and PaaS – it is one of the three most common forms of cloud computing that provides third-party computing resources, such as hardware, storage, servers, and networking components for data center space, via the internet. In the case of IaaS, third-party providers offer computing infrastructure in a virtual environment so that any user in an organization can access it. Google Cloud, Amazon Web Services and Microsoft Azure® are some of the more notable examples of public cloud IaaS providers.
Benefits of IaaS and Security Implications
The move to the public cloud is driven strongly by the speed at which companies can build and deploy globally available, highly scalable applications. Businesses often choose IaaS because it enables them to replicate familiar on-premises architectures in cloud environments. By simply renting the resources they need without the costly upfront burden of building data centers, organizations save significant upfront costs and avoid the hardware maintenance and refresh logistics. IaaS poses few limitations in terms of what applications or services can run since many of the foundational resources available are the same as those in on-premises environments.
However, as with any other cloud service, IaaS comes with security risks organizations must understand. Users can have direct access to the cloud infrastructure, hardware and networks. Therefore, an organization’s employees are all “privileged insiders” and can become security liabilities if identity and access control policies are not tightly controlled. IaaS is also vulnerable to attackers gaining access via encryption breaking, potentially performing man-in-the-middle attacks to steal or modify data. Furthermore, attackers may try to hijack IaaS resources to run botnets, mine cryptocurrency or launch denial-of-service attacks.
Although deploying cloud services can vastly accelerate business growth and innovation, security cannot become a secondary consideration in these highly dynamic, distributed environments. When it comes to the security of IaaS environments, businesses tend to lean one of two ways: they rely solely on the service provider for security, or they extend in-house security measures to the cloud. Services like AWS® and Azure may offer security controls for their own cloud environments, but users are on their own to piece together the provided tools into functioning security coverage. Compounded by the fact that most businesses use multiple cloud environments at once, this approach quickly becomes overwhelming to effectively build and manage.
Consequently, simply extending on-premises security to the cloud negates a lot of the cloud’s agile scalability. On-premises security products are designed to act as central points of control across an environment, but forcing all traffic through a single central control point in a highly distributed cloud environment introduces significant friction. Therefore, IT managers need to create strong IaaS security strategies that implement security technologies purpose-built for the cloud. Applications and data in the public cloud need to be protected at least as diligently as private networks and on-premises software, hardware, applications, and data. By working with a trusted partner experienced in combining native tools from cloud services with proven, next-generation security technologies, organizations will be able to better protect their cloud environments and prevent cyber breaches.