As cloud services take the reins from on-premise hardware and software, the importance of strong cybersecurity strategies for cloud-based solutions becomes apparent. According to RightScale’s 2015 State of the Cloud Report, security continues to be the number one cloud challenge for IT professionals.
However, unlike locking down a private network with firewalls and monitoring tools, there is not a one-size-fits-all approach to cloud security, as the number of use cases for the cloud makes standards almost impossible. This means that cloud security falls on enterprises’ shoulders, and simply put, managing security in the cloud is much different than securing traditional IT environments.
Security remains the number one cloud challenge in 2015.
But, why? Why is cloud security so different than traditional data security? Let’s take a look.
Cloud and perimeters
Traditionally, corporate network perimeters extend to physical firewalls and sometimes would attach to other locations and offices. This was easy to establish and maintain. Of course, however, the cloud changes the traditional idea of a network perimeter.
In the cloud, a business’s perimeter is literally all over the world, as different public cloud services and software as a service (SaaS) solutions stretch the edges of the network to the point where any device or end user becomes the edge. So, the following question must be answered: How exactly must a company define what and how to protect their new perimeter?
Essentially, whatever IT teams traditionally do inside the perimeter must be extended to the cloud – whether using SaaS or public Infrastructure as a Service (IaaS). The chances of those cloud service providers implementing the exact same perimeter standards, as one of their clients is unlikely, meaning that those companies must compensate by adding extra control.
Furthermore, there are security risks to perimeters regardless of whether a cloud is private or multi-tenant. For the former, physical locations must be protected, while for the latter, businesses need to ensure that no one on shared machines can jump to mission-critical instances.
Simply put, it’s not just about establishing or extending perimeters, but it’s also about securing and restricting access in many cases. Our experience has shown that the use of cloud perimeters, cloud DMZ’s, and trust zones are great ways to accomplish this additional security.
Organizations must establish who controls data in the cloud.
Data stewardship and control
With an on-premise data center, businesses clearly own the data stored within, and they have tight control over who can access that information. Traditionally, data stewardship is straightforward, but not in the cloud.
When using cloud services, organizations must establish who controls data, mainly because they will always be responsible for its protection, even if the breach was an accident. This means paying attention to state and federal laws is critical – where data is stored matters. Additionally, businesses need to determine what their cloud providers can see, and this will impact encryption practices including the use of asymmetric cryptography, encryption levels and strong authentication.
Furthermore, cloud provider contracts will outline who controls security equipment and who can alter or access those controls. Some cloud services offer virtualization, but in reality, a balance of hardware and software is necessary to ensure data security. So, business should vet their cloud providers’ logging, monitoring and SIEM systems, perhaps taking hints from those practices for on-premise environments.
While similar to and overlapping slightly with data stewardship, governance is a policy-based approach to data protection which relies on knowing who controls what in the cloud. Specifically, businesses will need to determine the level of visibility and control they have over cloud services, as this affects everything from performance to intrusion detection, but overall, data governance requires experts.
To truly maintain control over governance, businesses need to carefully create contracts, SLAs, KPIs and manage their Cloud providers in order to determine who solves which problems, who is responsible for what, and how the Cloud services’ strategies and protocols align with internal IT’s policies. For example, KPIs for cloud storage – average read and write times, as well as network bandwidth – response time and roundtrip time should be established to optimize business user performance.
Shape of your Cloud
On-premise IT is much simpler than the cloud considering that “the cloud” has evolved to mean dozens of different services and solutions in the past few years. The fact that clouds can be many shapes based on the use case, introduces a whole new layer of complexity, since there is no tried-and-true cloud security approach across IaaS, SaaS, platform as a service (PaaS), or database as a service solutions (DaaS). There are wide variations in cloud security elements – cloud perimeters, cloud DMZ’s, trust zones, and data integrity depending on the use case(s) that an enterprise is implementing:
- Business Use of Software as a Service
- Development in the cloud
- Governance of the cloud
- Building a Private cloud for Outsourced Development
Fred is a Practice Director for OpenSky. He is an accomplished technology leader, innovator, and trusted advisor to senior-level executives on technology and security solutions. Fred has a track record of applying advanced business techniques, strong technical and security knowledge to deliver services and solutions to large enterprise environments and has a track record of leading and developing large high performance teams.