Cloud architecture is composed of the components and sub-components found in a cloud. While that’s a very general description, there is more than just technology in cloud architecture. National Institute of Standards and Technology Special Publication 500-929 (NIST SP 500-292) focuses on the entities involved – the cloud consumer, the provider, the auditor, and so on. You really cannot get to the technology without them.
Cloud architecture can be broken down into a four-level taxonomy: role, activity, component, and sub-component. When discussing cloud architecture, it is necessary to state who does what, how, and with what tools.
A well-architected framework takes a lot of work. There is much to consider when going through this process. At the beginning, there are many questions to answer, such as the following:
- What are your internal and external customers’ business priorities?
- How do you determine the threat landscape that will have an impact on your cloud and core business structure?
- Where is your data, especially sensitive data, and where does it flow?
- How will you ensure that deployment of systems onto the cloud is done correctly?
- What additional training do your software developers, IT personnel, and employees need with this move into the cloud?
- What mechanisms will you use to ensure all systems are configured correctly?
- What tools will you use to manage the updates and patches for all cloud systems to maintain your security level?
The list continues, so it is critical to ensure that architecture is done correctly, with skill, so implementing a cloud does not cause more damage than the good it can provide your business.
The activities within cloud architecture define access and consumption of SaaS, PaaS, and IaaS. This also includes orchestration, audits, and security.
- Orchestration – coordinated management of a cloud environment to accomplish the goals of the business using it.
- Audits – analysis of the security, performance, and compliance of a cloud provider. This is done by an external third party.
- Security must always be addressed, including confidentiality, integrity, and availability.
- Confidentiality – keeping sensitive data secret. Ensuring that only authorized users have access to it.
- Integrity – provides a level of confidence that the data or system has not been changed and that the data or system is trustworthy.
- Availability – ensuring that the data and systems are accessible and usable when needed.
Choose the components of cloud architecture to meet an objective. What are the specific actions, steps, tasks, and processes that must be completed to accomplish this objective? In considering the cloud, first decide whether a public or private cloud or some combination is the best decision for the business. A hybrid cloud connects, for example, a private to a public cloud. A newer term, multi-cloud, is defined as being public and private without any connection between them.
Another topic to address when choosing components is the issue of interoperability and portability.
- Interoperability is the ability for two different systems to communicate and send data back and forth under specific conditions.
- Portability is the ability to move data from one cloud to another without having to recreate or reenter the data manually.
Careful consideration of these two issues in terms of the objective of the business is critical from the start of architecting and designing a cloud. The risk of leaving these out at the beginning is that a business may find itself locked into an inadequate or inappropriate architecture.
Sub-components enable a company to address questions of service level agreement (SLA) management, rapid provisioning, and resource changes.
- SLA management – Is the business going to monitor metrics in-house and ensure the service meets promised service levels? Should there be a third party, such as a service broker monitoring? A service broker helps negotiate the original contract and provides continued management of the service, monitoring the metrics and possibly other services.
- Rapid provisioning – The cloud is a different environment that does not fit many of the old change management methods. Would it make sense to implement automation tools to help manage cloud infrastructure changes?
- Resource changes – It is necessary to update configurations and set some devices aside for repair.
Cloud security architecture
In cloud security architecture, security elements are added to cloud architecture. Cloud security always involves a shared responsibility between the cloud provider and the cloud consumer. The division of responsibility depends on the type of cloud structure you are using: IaaS, PaaS, or SaaS. There is a division of responsibility imagined by the International Organization for Standardization (ISO), NIST, and even the Cloud Security Alliance (CSA). In the end, however, it will be determined by the cloud provider and customer and written into the contract.
As a cloud customer, it is important to do a risk assessment to ensure you understand the consequences of using any form of cloud. If you’re not building your own cloud in your own data center, the contract should state who is responsible for what, or at a minimum, what you can rely on the cloud provider to do.
Here are some security controls to consider when designing or using a cloud solution:
- Multifactor authentication (MFA) – It is highly recommended that you use MFA on all accounts.
- Data classification – It is critical today to understand the data you have within your cloud and how sensitive it is. There are tools that will help discover things like personally identifiable information within data storage. Use the tools or a more manual process, but either way, it must be done.
- Identification and authentication – It is critical to control access from all actors using or within the cloud. This is not just users and administrators but also software, APIs, functions that access other software, or data.
- Create separate and controlled accounts for administrators – The primary account for the business should not be the one used by the administrators. If that account is compromised, everything could be lost.
- Log – Log everything you can and set metrics to alert administrators to suspicious or dangerous conditions.