Seguridad en el modelo IaaS

IaaS models are those services that focus on offering computing capabilities to their consumers. Some of the most widely used implementations by various levels of users (both corporate and home) are Amazon Web Services, Rackspace, and GoGrid. Figure 1 shows the home screen of the Amazon Web Services service, Elastic Compute Cloud, also known as Amazon EC2.

Security Considerations
As we mentioned, IaaS service models are focused on the provision of computing capabilities, whether processing, storage or network, among others. From this, we can quickly intuit that this model is the closest to hardware and in particular to virtualization technologies, without which Cloud Computing could not exist as such.

For this reason, most of the security controls in relation to these models are related to the protection of virtualization technologies, since by compromising this technology a malicious user could have access to the rest of the users who contract resources from an IaaS service provider. In this line, NIST has identified a series of security issues to be taken into consideration by providers of this type of services, with the following being some of the most notable:

• Legacy environment vulnerabilities: If the provider allows users to use legacy applications, they run the risk of exposing other users to these vulnerabilities.
• VM isolation: Since the VMs assigned to different users usually come from the same pool, it is essential to ensure the isolation of virtual machines between users, thus preventing eavesdropping and/or tampering attacks.
• Secure data deletion: Since VMs share storage resources between them, it is important to ensure that when a user frees up storage resources, they cannot be accessed by a new consumer using that resource.

For all IaaS service providers, both public and private clouds, it is recommended to at least align with the Security Guide for Virtualization Technologies published by NIST, which presents a series of guidelines that must be followed to reduce the security risks introduced by these technologies.

Finally, let us not forget that both virtualization and Cloud Computing are technologies that are only effective when they are aligned with the business and serve it.