5 Things You Need to Understand About Cloud Security
Although cloud security is often brought up as a major issue in cloud adoption discussions, there still remain a few misconceptions that need to be corrected and clarified. In order for businesses to make the right steps in securing their cloud-based digital assets, they need to distinguish the myths from the facts. This blog post can help in that regard.
These are some of the basic things you need to understand about cloud security.
The cloud is more secure than you think
Contrary to what some people say, cloud environments can be more secure than your own privately managed data center. While you might consider security as a major issue, core business will always be your company’s primary concern. For this reason, corporate funding for security projects in your data center will rarely make it to your high priority list.
But for cloud service providers, the performance, reliability, and security of their cloud infrastructures can be key differentiators. Customers will likely choose one CSP over another if they feel more secure there. In addition, most CSPs are forced to adopt strong cyber security policies in order to meet regulatory compliance requirements. All these factors compel CSPs to put security among their top priorities.
Compared to other companies who maintain their own data center, the cost of securing the cloud infrastructure isn’t that big of a burden for CSPs. By taking advantage of economies of scale, CSPs are more capable of pursuing expensive security undertakings to protect the digital assets of their customers.
That doesn’t mean you can leave everything to your CSP though...
Security is a shared responsibility
Although CSPs can afford expensive security solutions, there are limits to what they can protect. That’s why most CSPs - even the major players like Amazon AWS or Microsoft Azure - use a shared responsibility model for security.
CSPs are normally in charge of securing their premises and providing physical server and network security, while customers are in charge of securing their operating systems, applications, and data. Knowing your responsibilities can help you focus resources on the right areas and determine who’s to blame if anything goes wrong.
This shared security model has another advantage. It can protect your digital assets from your CSP as well. Your CSPs data center(s) are administered and maintained by human beings, not robots. Because there are good people and bad people, there will always be that risk of internal threats in the data centers themselves. Hence, you wouldn’t want data center staff to have unfettered access to your data. A shared responsibility model is best suited for this purpose.
Maximum security is not the default setting
You need to understand that, while they’re provided by your CSP, some security features aren’t enabled by default. For example, we’ve always read about cloud computing security benefits like high availability, disaster recovery, and business continuity.
These benefits can’t be fully realised unless you employ multiple levels of redundancy, like deploying multiple instances of your applications or spreading your applications across multiple data centers in different geographical locations. In Amazon S3, for example, this can be done by using multiple Regions and Availability Zones.
The use of multiple regions could have helped companies withstand massive cloud outages like the one that took down several AWS-based sites earlier this year. If you want to achieve even greater redundancy, you can adopt multi-cloud architectures by subscribing to multiple CSPs or adding an on-premise cloud infrastructure.
You need to encrypt both data at rest and data in motion
In a cloud environment, threats to data confidentiality come from all directions. They exist while data is at rest in your CSPs storage devices. They also exist while data is traversing between cloud-based servers, between your cloud infrastructure and your on-premise data center, or between your cloud infrastructure and an end user.
For this reason, you need to employ end-to-end encryption at all times if you’re dealing with sensitive data. Data-at-rest encryption technologies like a file or disk-level encryption will protect your data even if an attacker manages to steal or gain unauthorised access to your CSPs storage devices. Data-in-motion encryption, on the other hand, like SSL/TLS or SSH will protect your data from network packet sniffing tools and other man-in-the-middle attacks.
Again, while your CSP may provide both data-at-rest and data-in-motion encryption functions, it’s mostly up to you to use them.
One size doesn’t necessarily fit all
In some instances, a single cloud architecture might not be enough to meet all your security needs. For example, even if your CSP might promise superior levels of security, your data privacy requirements might simply not allow certain types of data to be placed in the cloud. In extreme cases like this, you could always adopt a hybrid cloud strategy wherein one part of your cloud infrastructure stays with a public cloud CSP, while the other part stays in a private cloud in your own premises.
Cloud security can be a tricky endeavour, but as long as you understand the basic concepts, you should be able to do things the right way.