Believe it or not, the cloud is not a magical wonderland that protects your data, nor does it have any unique and unheard of risks. Of course, when something is ‘over there’, it feels like it’s less your problem. So many things that would have perhaps been a nagging feeling about a server you set up in your datacentre may feel more distant when they are running in the cloud.
Technically speaking, the cloud does not make it easier to have poor security; it may, however, make poor security feel less painful psychologically. The thing that many of us fail to understand is that the cloud is just the same technology from an on-premise environment running somewhere else. Any risks that there would have been running a CRM app like Salesforce on premises are still there in the cloud, though the share of risks is much smaller since the provider takes care of some.
The cloud hasn’t made people more complacent to risks, but it also doesn’t seem to have made them more attentive to them either. This varies from organisation to organisation, of course. Some see the very specific language about what duties and risks are theirs in the contracts with their cloud providers and it wakes them up to all the things that may go wrong that they have forgotten.
The complacency comes from the fact that risks are still prioritised for action alongside everything else that pulls on organisations. If it will cost twice the money to fix a security risk as to increase profit margins by a third, what do you think an organisation will do? Organisations will ultimately act to further their main interests and IT security risks don’t often make the cut.
The single most common mistake users of public cloud make is to not read their contracts and understand where their responsibilities truly lie. Often people are unclear as to when and how the creation of a server in the cloud moves from the care and security of the provider to them.
I’ve run into folks who mistakenly thought their cloud provider was patching servers through some back door for them. They weren’t, and the servers went unpatched for months. Often organisations will forget that the layer of management given to them by the cloud provider will also need some security. The administrative users and rights used to configure and control the cloud systems will need to be treated just as carefully as any other privileged users in their systems.
Properly securing public cloud resources is, in the end, no different than securing systems running on-premises. The differences, in principle, are none; and the differences in operation are minimal. The real trick to appropriate security in the public cloud is to treat it as if it’s just another datacentre.If there are ways that you want to apply security patterns that turn out not to work because things are running in the cloud, then deal with them as exceptions. You won’t find many.
The worst consequences of cloud security failures are conversations about cloud security failures. In the end, security in the cloud is only as bad as the user makes it. You could argue that the massive investments made by cloud providers to secure the underpinnings of the applications, servers, and other technologies they offer in the cloud actually makes cloud security quite a bit better.
But cloud is under a microscope because of its impact and potential. Combine that with the fact that there is this (most false) impression that the cloud is somehow less secure, and you get a multiplier for any cloud security failure that happens to occur.
Security in the public cloud will need to be a team effort just as it was on premises. There is a need for a security subject matter expert for sure. However, there will be pieces that require a cloud subject matter expert too. The real trouble here is that most organisations don’t have an appropriate process to manage and disseminate good security information for their current systems and moving to the cloud won’t magically fix that.
However, forward-looking organisations could use the opportunity afforded by a paradigm shift like moving to cloud to help establish a better process. Long standing security processes, e.g. those from SANS, are perfectly well suited to the cloud. Taking models that are proven and applying them to the new public cloud operations will definitely result in better outcomes.
From a security perspective, cloud has been mature for years. If you look at the intimidating list of security and even compliance certifications that the major cloud providers have you can see that no IT shop except the most elite (and well-funded) have ever come close to offering a platform as well secured. They have to. If the cloud providers had a major gap in security, especially considering how much undue attention is being paid to that security, then they would be done with overnight. It’s suffice to say that if you have very poor security in the public cloud, it’s likely you brought it in with you when you walked through the door.
Jonathan Sander, VP of Product Strategy at Lieberman Software