One thing is guaranteed at InfoSec this year—there will be plenty of people talking about the cloud. However, they will not all be talking about the same thing. When it comes to IT security they will be taking one of three angles; securing the cloud, using the cloud securely and using the cloud to deliver security. If you can establish early on which of these any given discussion alludes to you then you may proceed with a little more clarity.

Having said that, many discussions involving the cloud tend be a bit vague. So you would also be well advised to establish what sort of cloud is being alluded to, as Quocirca will in this article. If it is a public cloud service, is it regarding the provision of infrastructure or applications? – i.e. infrastructure as a service/IaaS or software as a service/SaaS. If it is not a discussion about public cloud services then it must about the private cloud, which is just an efficient way of configuring and using private data centre resources using technology that has been developed to build a public cloud infrastructure.

Let’s take the first of those security issues mentioned above—securing the cloud or, to be precise, helping IaaS and PaaS providers secure their services. These service providers need firewalls, intrusion protection, content security etc. just as those configuring private IT infrastructure do. There are some differences, mainly around scalability; the fast growing number of users of public cloud services means providers need highly scalable and reliable products to be able to keep growing and maintain service levels. There are also some specific issues with regard to virtualised infrastructure and multi-tenancy platforms that they need to address. However, on the whole, one should expect, given the stakes and the effort put in, that public cloud services will in many cases be more secure than privately owned and run IT infrastructure.

The second issue is secure use of the cloud. This involves making sure the communication between an organisation’s users and the cloud services they are expected to use is secure. This is really no different to making sure remote users can safely access privately owned IT applications and infrastructure. Cloud service providers know what they are doing here too; for them everyone is an outsider, so the default is to authenticate access and communicate securely. It also involves making sure the use of cloud based services employees invoke themselves is secure (social networks, web mail, collaboration tools etc.) Much of this is about content filtering, preventing bad stuff coming in and good stuff getting into the wrong hands.

The final issue is using the cloud to deliver security. This is an established and growing practice. One of the first use cases was to deliver anti-virus updates over the internet rather than distributing them on diskettes. Perhaps the largest cloud based service is Microsoft update, delivering patches to hundreds of millions of PCs on a regular basis to try and keep them secure from the latest exploits. Email filtering, web content filtering, security management and a range of other requirements are being delivered as on-demand service by security vendors and the managed security service providers (MSSP) they partner with. They also rely of the cloud to gather most of the information they have on known threats through their protection networks.

Enjoy InfoSec; you won’t be able to avoid discussions about the cloud, but you can get more out of them if you establish the angle a given vendor is taking. Don’t cloud over—but be cloud aware.