The security of data, systems and information must be ensured organizationally and technically for hardware, software and the underlying infrastructure. There are regulatory requirements and standards for this, compliance with which must be monitored. If you take a first look at the simple on-premises deployment, it quickly becomes clear that all security and protective measures must be taken, coordinated, implemented, monitored and continuously updated by the company itself in accordance with the threat situation and the state of the art. This represents a major financial and organizational challenge, especially for small and medium-sized companies. How would using one of the three common cloud models pay off for a company?
Cloud Computing: The IaaS model
With the IaaS model, a company delegates the task of providing secure, certified, and state-of-the-art data center, server, network, and host infrastructure to a cloud provider. Compliance with norms, regulations and standards for the operation of the data center, the server and the network connection is therefore taken care of by the cloud provider. Necessary updates are carried out by the cloud provider without the customer having to purchase new hardware or hire or train new security personnel. The cloud customer also benefits from the provider’s infrastructure when it comes to data recovery and emergency management. Many cloud providers offer several options here, such as locally redundant or geo-redundant storage of data in data centers in different regions. Since the cloud provider, who is in competition with its competitors, has a great interest in being certified according to established security standards, the cloud customer also benefits from the cloud provider’s continuously monitored compliance with common and high security standards.
Cloud Computing: The PaaS model
In the PaaS model, the cloud provider not only provides the infrastructure but also the security of the software required to operate a platform – such as operating systems and database systems. As a result, the implementation and review of software security measures are delegated to the cloud provider. This applies, for example, to the implementation of identity and access management, the provision of secure encryption protocols and the enforcement of compliance with good development practices. The PaaS model thus enables a customer to set up their own applications on a continuously checked and trustworthy infrastructure and software platform. This gives developers on the customer side a standardized and continuously monitored basis for the implementation of their own applications.
PaaS customers can often build on the provider’s security certifications. At the platform level, many cloud providers also provide special tools and services that give the customer the opportunity to achieve a higher level of security. These include, for example, tools for analyzing vulnerabilities or for analyzing and classifying data according to their protection requirements.
Cloud Computing: The SaaS model
The use of the SaaS model means the most far-reaching transfer of responsibilities from the cloud customer to the provider. Since the entire application is provided by the provider, the customer does not even have to develop the application. This means that further security and compliance controls relating to the software are transferred to the provider’s area of responsibility. Among other things, this includes the costly checking of the software for security gaps and the provision of continuous updates and updates. Users of SaaS applications achieve a very high degree of flexibility, since the portfolio of IT services obtained via SaaS can be easily scaled or supplemented without additional investments in infrastructure, development or certifications. Audits and certifications that are directly related to the security of the hardware and software components are provided by the cloud provider.