Security has become the business of every reputable Cloud Service Provider (CSP) because of the potential ramifications to both itself and its clients of any incident of data loss. While an in-house team might make you feel secure because it is on your premises, in reality its members are unlikely to have the range of security expertise that a large CSP has and a lot of businesses are unlikely to be able to budget for the acquisition of those skills.
Organisations can give many reasons for being concerned about cloud security and migrating to the cloud. Here are some of them and why they turn out to be misconstrued.
The Bad Neighbour: This is the fear of not knowing who else is running on the cloud infrastructure beside you. For instance, you could have a youth club website running next to an adult ecommerce website. The reality is that on public cloud architecture you will never know who your neighbours are and that’s actually one of the key strengths of cloud technology – the fact that you CAN have completely disparate client profiles running side by side with little or no risk of them ever becoming aware of each other in a logical sense. If you have compliance issues then the answer is to ‘go private.’
Hollywood Hacking: This is the perception that it takes a ‘four -eyed geek’ 30 seconds of furious typing to break into a secured system. This is the stuff of great movies. In reality it is insecure access methods and poorly written API integration with cloud services that can make them insecure. This is as true for poorly written and applied access methodologies inside your own ‘closed’ organisation.
The Bad Egg: This is the risk of there being an insider who wants to do harm. This is a risk that exists as much within the organisation thinking of using cloud services as within the CSP itself. Again there are buying decisions which can mitigate this, ensuring your CSP has invested in the requisite ISO 27001accreditation for Information Security so you are fully compliant.
Data Loss: This is always a risk of data loss. The intrinsic strength of using a CSP is that the economies of scale available to them make their cloud platforms massively more resilient than the average in-house platform or service. The way to mitigate this risk is to use a real enterprise level backup solution – anything else is bad practice.
Intruder Alert: This is the risk of someone using primary administrative or super user logins for cloud control interfaces. This is a big risk for you inside your own organisation. In the vast majority of cases if someone has ‘hacked’ your account it means you have poor password or poor information security management practices in place. There is of course the risk of CSPs themselves being hacked and user information being leaked but this can always be mitigated with Multi Factor Authentication.
The Patchwork Man: This is the Unknown Risk Profile where vulnerabilities exist in the underlying software you are using. Most CSPs operate on a shared responsibility model where they will ensure the underlying infrastructure and data centre technology is resilient and secure. What you create with it is down to you. For instance, if you launch a Windows Server 2008 instance and fail to patch it or pay for patching services, then that is your responsibility. Moving to the cloud rarely abrogates your responsibility to take care of the services and applications you have placed there.
The lines in the cloud are now broadly defined as follows:
- Public Cloud: AWS, Microsoft Azure
- Private Cloud: Hosted with a Managed Service Provider, Hosted On-Premise
- Hybrid Cloud: Any mix of Public/Private and On/Off Premise
Cloud is a generic term which encapsulates a massive range of potential platforms and services. The issue is what parts of your IT mix can be used in a cloud-based model? A good IT team will understand the risks and benefits associated with each one.
Understand the benefits; understand the risks and understand your responsibilities, then you can migrate to the cloud successfully and securely.
By Paul Jeffrey, Technical Account DirectorSubscribe to RSS Feed