Separating Fact from Fiction on Cloud Security
More than a decade after cloud services arrived on the scene, many organizations are still hesitant to exploit the technology to its full potential — or, in some cases, even approach the cloud at all.
That’s unfortunate, because the cloud is essentially a gateway to a bright new world of innovative services as well as operational and financial benefits.
Still, for many potential adopters, the public cloud remains a mysterious, dangerous place where attackers lurk at the end of every upload, ready to snatch away critical data at the touch of a key or the click of a mouse.
“Generally speaking, the cloud is a more secure place than most enterprise environments on-premises, because it outsources the security of your critical infrastructure to some of the most innovative companies and talented security teams in the world,” says Yet Asaf Cidon, senior director of security engineering for Barracuda Networks.
The initial fear of security in the cloud has long been put to rest, adds Mark Nunnikhoven, vice president of cloud research at Trend Micro. “Cloud service providers build their businesses on having strong, secure services,” he says. “It’s in their self-interest to provide world-class security, and it’s hard to meet that level of rigor and compliance with your own on-premises solution.”
Maintaining Control Over Your Data
Many organizations remain reluctant to embrace the cloud because they fear losing control over data security. But such fears are misplaced, says Scott Miles, senior director of cloud and enterprise portfolio marketing for Juniper Networks.
“Whether your data is on your on-premises servers or in the cloud, the most important thing is to have visibility into your data, with both security and compliance being key,” Miles says. He notes that the primary challenge for organizations is instituting and maintaining a consistent security policy and establishing policy enforcement as data moves back and forth between local and third-party cloud environments.
“Whether you keep your data on-premises or offload it to the cloud, enterprises have access to equivalent tools and can deploy them to secure resources,” Miles says. “By choosing the right vendor, the means to protect data is consistent across on-premises and cloud solutions.”
For many, the main concern in the cloud stems from the fact that the user no longer has access to the physical system or the virtualization layer — the cloud service provider does. “Data is safest when the proper security and privacy controls are applied, regardless of who ‘owns’ or has access to the servers hosting the data,” Nunnikhoven points out.
Data residency assurance, a critical need for many organizations, can also lead to cloud skepticism. According to Nunnikhoven, a cloud provider has to be completely transparent as to where a customer’s data will reside and be prepared to reveal that information at any time.
“Several countries have data regulations that specify country of residence for data and you need that assurance to meet those regulations,” he says. “In addition, legal jurisdiction is hard enough to establish on the internet, so there’s no need to complicate it unnecessarily because data is strewn across several countries.”
Cidon agrees that it’s critical for a cloud provider to maintain complete data residence transparency. “Some cloud providers provide options for where a customer’s data will live, and this typically depends on the country and industry of the target customers,” he says.
Shared Responsibility for Cloud Security
Many organizations mistakenly believe that cloud security is entirely the provider’s responsibility and are reluctant to hand over such an important responsibility to an outside party. But Miles notes that cloud security is very much a two-way street.
“Both the customer and the cloud provider need to have a clear understanding of the requirements and the importance of being compliant, responsible and accountable,” Miles says. “It’s important that the customer clearly communicates its anticipated usage of the cloud infrastructure, the types of applications and data it plans to run in the cloud, and the level of scale required for the provider to ensure that the correct security posture is in place.”
With the cloud, there’s a shared responsibility model. A provider is only responsible for a limited number of security areas. “They’re responsible for physical, network and hypervisor security,” says Doug Cahill, senior cybersecurity analyst for the Enterprise Strategy Group. “They’re also responsible for creating application program interfaces (APIs), enabling a third-party ecosystem and for advanced security controls. But the customer is responsible for the workload, the application that’s running in the cloud and, most important, the data.”
Because of this symbiotic relationship, customer input and cooperation is essential for maintaining seamless cloud security, Nunnikhoven adds. “Even though the provider is responsible for the day-to-day security, it’s up to the customer to verify through third-party audit reports and testing that these controls are adequate for the classification of data they are storing on that service.”
What’s more, organizations also need to know that there’s no magic bullet for network and data attacks. “As threats become more sophisticated and more targeted, customers must remain vigilant in keeping systems up to date and deploying multiple layers of security protection,” Cidon says. That includes email security solutions to block spam or malicious links from landing in users’ inboxes, next-generation firewalls to control access, and web application firewalls that help protect applications and workloads after they migrate to the cloud.
Dispelling Myths About the Cloud
Further complicating the cloud security picture is the widespread — yet generally incorrect — belief that the cloud is more vulnerable to attack than on-premises infrastructures. Cidon acknowledges that the cloud does get attacked more frequently, mostly due to the use of publicly available APIs. “On the other hand, on-premises resources may be more vulnerable because they often do not have the best safeguards in place,” he says.
Paradoxically, an open environment such as a public cloud can benefit from receiving a large number of attacks, Cidon suggests. “These environments know they are targeted frequently, which leads to an increase in the overall resources put toward testing and fixing vulnerabilities.”
The notion that multitenant clouds are somehow less secure than single-tenant private cloud deployments doesn’t hold water, Cidon adds. Many organizations reflexively assume that private clouds must be more secure by their restricted single-tenant nature. That notion can create a false sense of security, leading to an intentional or unintentional relaxation of authentication safeguards and other security measures.
“This can leave significant security gaps for those single-tenant environments,” Cidon says. “Generally speaking, multitenant clouds are typically architected with security in mind.”
Cahill agrees: “Complacency, quite frankly, is the biggest cause of security breaches. The vulnerability that gets exploited most frequently is human gullibility.”
In the end, matching on-premises deployments with cloud migrations, the security risk ends up being about the same, Nunnikhoven says. “Once a system is connected to the internet, it’s going to be scanned, probed and, most likely, attacked,” he says. “That holds true no matter where it is located.”
Read CDW Cloud Client Executive Eric James take on “Public Cloud Security and You” in his blog post at blog.CDW.com/publiccloudsec.