How can web security from systems' perspective be taken care of in Cloud?

Question

Hello. While choosing between shared hosting and Cloud hosting I have always been inclined to go for the latter. However one aspect that always worries about Cloud is security. Here I'll try to be more specific.

When I go for shared hosting, the foundation softwares are already there for me and they are configured to the best suitable security for web (I am hoping this assumption is correct). However when I get hold of an instance in the cloud, I usually have to do every possible configuration myself. Further I have to keep track of security updates released, etc. (I hope you get the point). This is intimidating as I would loose focus from my application.

Of course one would say that I can go for exclusive virtual hosting (or even dedicated) hosting that many providers offer. But there the cost is weird and those benefits of cloud (especially scalability) are ruled out.

So I'd like to know how one can be on cloud and be relieved of 'system's upkeep as well?

Answer 1

Systems upkeep? Well, either you go for a service that doesn't have those requirements (google, azure, etc) or you get a network admin to do it.

Don't get caught up in "cloud" security; it's just general data security, with a few more issues. Some of the issues related to the type of VM systems the provider uses (for example, if they use VMWare, and someone manages to break out of that on the server itself, they might be able to compromise other vms running in that situation (CloudBurst).

But in general, you security problems are the same:

1. OS Level (patches, etc,
2. Application Level (design/validation/)
3. Clientside (CSRF, etc)

FWIW, I run an EC2 myself, and I don't have any problem installing the windows updates (though it does require some downtime). Depending on what OS you select, it may be easier or harder, but this is part of life when you run a non-managed server.