search menu icon-carat-right cmu-wordmark

Monitoring Cloud Computing by Layer, Part 1

White Paper
In this paper, Jonathan Spring presents a set of recommended restrictions and audits to facilitate cloud security.

Software Engineering Institute


The general characteristics of cloud computing's three service models - software as a service (SaS), platform as a service (PaaS), and infrastructure as a service (IaaS) - include on-demand self service, broad network access, pooling of resources, rapid elasticity of provisioning resources, and service or resource monitoring.  On the basis of the Cloud Security Alliance's work, a cloud is modeled in seven layers: facility, network, hardware, OS, middleware, application, and the user.  These layers can be controlled by either the cloud provider or the cloud customer.

Table 1 identifies which layers the cloud provider controls under the three service models. Any service-level agreement (SLA) should clearly delineate these lines of responsibility. Analyzing these controls per cloud layer can make it easier to manage auditing and security monitoring. The desired controls don't change significantly for a given layer according to whether the cloud provider or customer manages that layer, but implementation and scalability differences exist. Regardless of who's responsible for the layer, the customer must ensure that the controls are enacted according to its standards.

Most clouds receiving publicity are public clouds, which are resources owned and managed by a vendor that sells or leases its services to a large industry group or the public. Public clouds carry the highest risk of data exposure and compromise owing to the less controlled environment and must be handled with the appropriate caution. Any cloud project will have idiosyncrasies, and each requires its own risk assessment.

Here, I present a set of recommended restrictions and audits to facilitate cloud security. Although the recommendations might be overkill for deployments involving no sensitive data, they might be insufficient to allow certain information to be hosted in any public or community cloud. Owing to space constraints, I cover only the lower four layers here. Part 2 will complete the discussion by covering the middleware, application, and user layers.