Pillars Of Cloudiness: No. 5 – Security

There are five essential pillars of cloudiness. In this recurring blog series, we’ll count down from No. 5 to No. 1. In this first post, we discuss security.

One of the biggest misconceptions about cloud computing today is the perception that it’s insecure. The reality is that the risks traditional applications face are the same as those found in the cloud. The cloud, does, however, change the security conversation and security becomes, in part, the responsibility of both the application builder and the cloud hosting provider.

There are three common scenarios that describe cloud hosting: Infrastructure-as-a-Service (IaaS), Platform-as-a-Service (PaaS) and Software-as-a-Service (SaaS). Each of these scenarios places the responsibility for its security in both the cloud hosting provider’s hands as well as yours.  As you move from IaaS to SaaS, your responsibility for security decreases.

For a deeper dive into security on the open cloud, check out the DevOps Blog.

IaaS is the foundational building block of the cloud. In an IaaS environment, the cloud-hosting provider supplies raw compute power. This puts the onus on you, the consumer, to implement the correct security protocols. When building on IaaS environments, one of the most commonly overlooked issues is system patching. As a new server is booted, it is likely already out of date when it comes to software patches. These images were built and exposed months, sometimes years, before being built into servers.

This is where software configuration management (SCM) tools such as Chef and Puppet can save the day. These tools help bring systems up to date on patches, and can also be configured to lay down configuration files you have hand-built to suit your applications needs.

PaaS adds to IaaS and provides the next building block of the cloud.  IaaS lays down an environment in which an application can be developed and housed.  PaaS doesn’t just provide raw compute but also libraries and frameworks for the environment it supports.  This lowers the liability and responsibility assumed by the consumer.

SaaS is considered the top level of cloud applications. A full application has been built, security has been baked in at every level and you now have the least amount of responsibility in ensuring application security. You are not relieved of all security management, this is just traditionally where the least amount of management has to occur, and that is enticing to many businesses.

A good rule of thumb is that the further down the stack a cloud offering is, the more responsible you are as a user for tactically implementing and managing security. Ultimately, security in the cloud is a shared responsibility between you and your cloud hosting provider. It is key to understand what each side provides in terms of security, as well as the legal and contractual aspects.

For a more detailed technical look at security, check out Racker Hart Hoover’s post on the DevOps Blog. Tune in next week when Wayne talks about the second pillar of cloudiness: being agile through product knowledge. Need more information about developing on the cloud? Be sure to check out our Rackspace Cloud API documentation and the Rackspace DevOps blog.

Wayne Walls is a Cloud Architect at Rackspace, where he evangelizes global cloud strategy. A tenured technology leader, Wayne has engineered complex technical solutions, delivered IT transformation plans, and implemented multiple training initiatives around cloud computing. Co-maintainer of the Rackspace Developer blog, Wayne is helping developers, engineers, and executives understand cloud technologies and how to turn that knowledge into tangible returns. He holds a B.S. of Information Systems and a B.A. of Economics from the University of Oklahoma. Follow him on Twitter at @waynewalls.


  1. All these comments use abbreviations that mean nothing to most people and do not accurately describe the product, or operation adequately. Buzz words!

  2. The fear many companies have is that there’s no way to break the link from the company to the Internet in order to access Cloud services. If employees can access the Cloud, so can data thieves. An irate Russian or Chinese blackmailer can launch a denial-of-service attack which not only disrupts a company’s Internet presence and e-commerce, but also prevent company employees from getting any work done because all their productivity software and databases reside in the Cloud. Is there a way to nullify this kind of attack and still use Cloud services?

  3. The government has full access to any cloud stored information without any pesky warrants, so if you want to be a good citizen store your stuff in the clouds.

    • Erik is correct and I don’t think that enough attention is drawn to this. Marketing and Big GOV like the cloud because they have found by renaming the internet to “the cloud” people will pay to hand over private and corporate info instead of fighting for it. Without the Constitution protecting your private data, security is useless. I sound anti-cloud, but I can’t help but think it to be a overblown marketing gimmick with serious and intentional privacy intrusions.


Please enter your comment!
Please enter your name here