IaaS includes services such as Rackspace and Amazon EC2. In contrast to SaaS, enterprise IT has complete ownership of what applications are deployed in an IaaS environment, and a good degree of flexibility for securing them at the edge of the cloud. You should start with a micro-perimeter that can be deployed in the cloud and spun up and down elastically, and protect REST/JSON-style APIs.
For IaaS environments accessed exclusively via VPN, you can treat cloud applications like on-premise applications. But instead of deploying an agent as the policy enforcement point (PEP) for each application, use a more scalable and secure API gateway as a proxy-based PEP. If your applications need to be accessible to third parties, consider using a federation model instead of requiring VPN access.
For data security, on-premise DLP technology can work equally well for IaaS applications if it is made available as a standardized service that can be automatically provisioned.
Learn more here.
In the past, security architectures followed the so-called “M&M model” of the hard crunchy shell and soft center. The bad guys would be stopped at the perimeter. As cloud and mobile computing extend the reach of the enterprise well beyond the perimeters of the past, the traditional security model of allowing good guys in and keeping bad guys out is no longer sufficient. As counter-intuitive as it might seem, security perimeters should actually shrink in the expanding BYOx (bring your own device/application/identity) world.
In essence, what was big is now small and what was small is now big. The idea is to protect the small entities — applications, APIs, devices and data — by creating massively scalable micro-perimeters around them. The data is now protected, rather than artificially trying to place a perimeter around the organization. This approach ensures the business can benefit from the increased agility and scalability afforded by adopting a cloud strategy, and IT can be confident the company’s data is safe. The key to applying a “micro-perimeter” is to make use of an API gateway, applying security at the level of the APIs used to connect to the cloud services.
In the old days, most business applications were only accessible on the corporate network via a browser or fat client, so they only needed rudimentary authentication and authorization capabilities. Now, with the pervasiveness of cloud-based services and mobile devices, the network perimeter has effectively evaporated and application security is a front-and-center issue.
By shrinking the security perimeter to surround each individual application — meaning moving any access control that was previously implemented at the network level to the application level — enterprise IT can control user access from anywhere and any device, without having to rely on a cumbersome VPN connection.
When setting up a micro-perimeter around applications, keep in mind that building authentication, single sign-on and authorization capabilities into individual applications is neither economical nor scalable. Look for a gateway architecture that can front both new and legacy applications and support the latest federation standards such as OAuth 2.0, OpenID Connect and SCIM (System for Cross-domain Identity Management).
Learn more here.