Infrastructure-as-a-Service (IaaS) is a cloud computing model where virtual machines are created and used to manage cloud-based information technology and network infrastructure. Organizations can create virtual machines, choose physical host locations, and leverage APIs to manage and configure the cloud-based infrastructure.
The National Institute of Standards and Technology defines Infrastructure-as-a-Service as:
“The capability provided to the consumer to provision processing, storage, networks, as well as other fundamental computing resources where the consumer is able to deploy and run arbitrary software, which can include operating systems and applications. The consumer does not manage or control the underlying cloud infrastructure but has control over operating systems, storage, and deployed applications; and possibly limited control of select networking components (e.g., host firewalls).”
Infra services over cloud not only constitute services from AWS/Azure/GCP/Other Infra providers, but also entail DevOps tools/processes viz. like Chef, Puppet, GitHub, Jenkins, and Orchestration tools viz. Ansible, Swarm, Kubernetes, Mesos, etc.
When considering public cloud services, organizations should review the shared responsibility matrix. The matrix dictates which security tasks are handled by the cloud provider and which tasks are handled by the organization. The security responsibilities differ depending on whether the work is hosted on Software as a Service (SaaS), Platform as a Service (PaaS), Infrastructure as a Service (IaaS), or in an on-premises datacenter.
This shared responsibility model helps reduce the customer’s operational duties as the IaaS platform manages and controls components from the operating system and virtualization layers down to the physical security of the facilities where the service operates. The customer is responsible for the guest operating system (including updates and security patches) and application software, as well as the configuration of the IaaS firewall.
Organizational responsibilities vary depending on the services it chooses, the IT integration of those services, and compliance with laws and regulations. The nature of this shared responsibility also provides the flexibility and customer control that permits the deployment. As shown in the chart below, this differentiation of responsibility is commonly referred to as Security “of” the Cloud versus Security “in” the Cloud.
If you manage your own data center, you also manage all security responsibilities. As you add cloud services, some responsibilities transfer to the provider. The following diagram illustrates which security responsibilities are managed by the organization, IaaS providers, PaaS providers, SaaS providers, and FaaS providers.
Microsoft Azure, https://docs.microsoft.com/en-us/azure/security/fundamentals/shared-responsibility
Amazon Web Services, https://aws.amazon.com/compliance/shared-responsibility-model/
To dive deeper into the the shared responsibility matrix, check out the blogs of major IaaS providers like Microsoft Azure or Amazon Web Services.
To stay competitive in today’s global market, businesses must embrace digital transformation. However, transiting from on-premises data centers to cloud providers requires a new security paradigm that can address risks posed by sophisticated attackers — as well as direct and indirect insider threats.
Saviynt’s Infrastructure Access Governance (IAG) provides a single-pane-of-glass that scales security monitoring and management across cloud services and ecosystems, accelerating mission-critical workloads and data cloud migration while enforcing security and compliance controls.
Saviynt provides unparalleled, centralized cloud security visibility, governance, and remediation at scale across cloud providers. With Saviynt, businesses can strengthen security with smart policies, continuously monitor risk in your workloads and cloud assets, and apply standards and controls to meet organizational security policies and regulatory compliance.
Saviynt secures all accounts and identities across your cloud platforms with identity lifecycle management. Saviynt prevents orphaned accounts and excess access risks with time-bound rules and granular access, either provisioning with federation identity providers or directly provisioning users into cloud consoles.
Saviynt’s just-in-time (JIT), duration-based permissions for privileged access maintains Zero Standing Privilege in the Continuous Integration/Continuous Development (CI/CD) pipeline. Identities can leverage CI/CD’s speed and convenience while mitigating the potential risks posed by a compromised account.
Saviynt’s continuous monitoring ensures compliance by constantly analyzing workloads, cloud databases, serverless functions, and other cloud artifacts against defined policies. Our solution provides near real-time security automation to remediate risky behavior by intercepting, alerting, and blocking.
Saviynt integrates multiple logs, events, and enterprise SIEMs to provide a depth of visibility into administrative activity and DevOps of multi-cloud environments. Our broad visibility identifies activity and risk that siloed solutions or individual cloud monitoring tools would miss.
Saviynt’s Infrastructure Access Governance integrates easily (no coding required!) with your existing multi-cloud software and service solutions — and the ones you’ll be acquiring in years to come.
Saviynt integrates directly with common federation platforms to seamlessly tie into your multi-cloud environment. To ensure credentials are not orphaned, accounts are directly linked back to identities and are automatically provisioned and de-provisioned as identities are added, moved, or removed. When users leave the organization, Saviynt’s platform automatically removes/disables accounts in the federated platform and cloud solutions, ensuring organizations meet regulatory compliance requirements.
Saviynt integrates with notification services across the multi-cloud ecosystem to evaluate every time a workload, database, serverless function, or other cloud asset is initiated. Saviynt examines the cloud resources for misconfiguration, whether it’s a known risk such as open ports on a database — or an organizational control, such as not spinning up a database in development with production data. Saviynt has an extensive library of risk signatures and controls to prevent risky assets from running or notify security to the risk.
Saviynt’s access analytics restricts activity that could potentially lead to a breach. Leveraging powerful techniques such as quarantine, access lockdown, or security team alerts to address suspicious activity, Saviynt’s platform automatically prevents insecure data sharing.
Saviynt’s platform continuously monitors access privileges for control violations, such as those granted as part of emergency elevation or through a backdoor. When the platform detects potential violations, it sends alerts and suggests remediation actions, such as exception documentation, time limits, or rejections.
Saviynt Exchange provides out-of-the-box compliance controls for business-critical applications, including HIPAA, PCI, NERC/CIP, COBIT, FFIEC IT Manual, and CIS. Saviynt Exchange cross-maps between regulatory initiatives, control frameworks, platforms, and control types to integrate with Saviynt’s monitoring and risk remediation. The Exchange eases compliance by providing controls organizations can implement across the multiple platforms Saviynt currently supports.
Saviynt provides firefighter/emergency access capabilities to request and provision time-bound elevated access during business emergencies. When a user completes critical actions, Saviynt automatically reviews their audit/usage trail to ensure they performed only authorized activities. Saviynt further automates the life-cycle management of firefighter access with continuous review and certification of the firefighter role and its contents by business role owners.