“Many people assume…that private clouds are more secure than public clouds. That is the tendency that people have….But you have to look at the actual implementation model to know”, Mell told Infosecurity.
“With public clouds people point to the fact that anybody in the world can get access to them; thus, the threat exposure is very high. So people assume that they are less secure”, Mell noted.
“On the public side, you have a greater threat exposure, but you may have the ability to focus more security resources toward security. On the private cloud side, you might have less threat exposure, but you may have fewer resources to devote to security”, he said.
Mell is the author of the 'NIST Cloud Computing Definition', the 16th and final version of which was released last week.
The NIST definition lists five characteristics of cloud computing: on-demand self-service, broad network access, resource pooling, rapid elasticity or expansion, and measured service. It also lists three service models (software, platform, and infrastructure) and four deployment models (private, community, public, and hybrid) that together categorize ways to deliver cloud services. The definition is intended to serve as a means for comparisons of cloud services and deployment strategies and to provide a baseline for discussion from what is cloud computing to how to best use cloud computing.
While the definition does not address security directly, there are security implications within the definitions, Mell explained. “We believe that definitional components of cloud reveal things that are inherently cloud security issues.”
For example, the report defines “resource pooling” as follows: “The provider’s computing resources are pooled to serve multiple consumers using a multi-tenant model, with different physical and virtual resources dynamically assigned and reassigned according to consumer demand. There is a sense of location independence in that the customer generally has no control or knowledge over the exact location of the provided resources but may be able to specify location at a higher level of abstraction (e.g., country, state, or datacenter).”
Mell said that resource pooling provides certain benefits in terms of security. “All the resources in the single pool are protected by a single security model….You can take all of your security resources and focus on a relatively simple security problem based on that single security model”, he related.
This compares to the diverse security problems posed by traditional IT systems. “You have to juggle and manage many different security models for many different IT stovepipes within your organization”, Mell said.