Despite the myths and rumours, the cloud does not make it easier to have poor security from a technical standpoint; it may however make poor security feel less painful psychologically. The thing many fail to understand is that the cloud is just the same technologies from an on-premise environment running somewhere else. Any risks that there would have been running a CRM app like Salesforce on premises are still there in the cloud.
[easy-tweet tweet=”Businesses think there are either unique risks or magical protection afforded by adopting the #cloud”]
Though the share of risks is much smaller since the provider takes care of some, in a case like Amazon’s EC2 where servers are running in the cloud, the organisation would be just as responsible for security from the operating system up as they would be if it were a server in your own data centre.
Many fail to see that clearly and think that there are either unique risks or magical protection afforded by running in Amazon’s world. Of course, when something is “over there” it feels like it’s less your problem. So many things that would have perhaps been a nagging feeling about a server you set up in your data centre may feel more distant when they are running in the cloud.
Has the cloud made people more complacent?
The cloud hasn’t made people more complacent to risks, but it also doesn’t seem to have made them more attentive to them either. This varies from organisation to organisation, of course. Some see the very specific language about what duties and risks are theirs in the contracts with their cloud providers and it wakes them up to all the things that may go wrong that they have forgotten.
The complacency comes from the fact that risks are still prioritised for action alongside everything else that pulls on organisations. If it will cost twice the money to fix a security risk as to increase profit margins by a third, what do you think an organisation will do? Organisations will ultimately act to further their main interests and IT security risks don’t often make the cut.
Organisations will ultimately act to further their main interests
The single most common mistake users of public cloud make is to not read their contracts and understand where their responsibilities truly lie. Often people are unclear as to when and how the creation of a server in the cloud moves from the care and security of the provider to them. I’ve run into folks who mistakenly thought their cloud provider was patching servers through some back door for them. They weren’t; and the servers went unpatched for months. Often organisations will forget that the layer of management given to them by the cloud provider will also need some security. The administrative users and rights used to configure and control the cloud systems will need to be treated just as carefully as any other privileged users in their systems.
Another mistake that is common is to think that the cloud provider will have services that their on- premises systems did, simply waiting for them to use. It’s true that Amazon, Microsoft, and others do build in many services for customers, but before moving to the cloud organisations really must do a full inventory of everything they were doing on-premises to identify gaps.
Security is often an area where there are things missed when moving workloads from on-premises to the cloud. Maybe there are different groups involved – the operations folks are spurring the move to the cloud for cost reasons, but the security folks only find out at the last minute and have to scramble to make a change to support the move.
How do you secure your data in the cloud?
Properly securing public cloud resources is, in the end, no different than securing systems running on- premises. The differences, in principle, are none; and the differences in operation are minimal. The real trick to appropriate security in the public cloud is to treat it as if it’s just another data centre.
Attempt to build security that’s at least as good as what you had on-premise, or perhaps even take the opportunity of the new build out to make improvements that you would have on-premise if you had only had the time. If there are ways that you want to apply security patterns that turn out not to work because things are running in the cloud, then deal with them as exceptions. You won’t find many.
[easy-tweet tweet=”Properly securing #publiccloud resources is, in the end, no different than securing systems running on-premise”]
From a security perspective, cloud has been mature for years. If you look at the intimidating list of security and even compliance certifications that the major cloud providers have, you can see that no IT shop except the most elite (and well-funded) have ever come close to offering a platform as well secured. They have to.
If the cloud providers had a major gap in security, especially considering how much undue attention is being paid to that security, then they would be finished overnight. It’s sufficient to say that if you have very poor security in the public cloud, it’s likely you brought it in with you when you walked through the door.