- May 31, 2017
- By cEntuRYmINDS
- All
The Naked Truth about “Public Cloud Security”
Public Cloud is becoming a standard deployment model for many of the major enterprises around the globe to achieve key cloud benefits such as scalability, speed to market and Pay As You Go cost model. However, I am still seeing many articles on the internet claiming that Security is seen as a prime concern for many CEOs for not considering Public Cloud, instead trying to build their own Private Cloud or stick to their traditional IT model.
In my opinion it only shows that people those who don’t trust Public Cloud haven’t done their ground work to understand the Security capabilities provided by some of the leading Public Cloud vendors.
Adding to this, the organisation’s “Information Security” approach must be consistent whether you manage the data in Public Cloud, Private Cloud or in traditional datacentre.
Security is all about protecting your data and managing the risks associated with unauthorised access to your data. First understand the security risks to your environment/data and implement the security controls to mitigate risks. Controls must be consistent across your Cloud and datacentre environment but the technologies you use to implement the controls may differ across the environments.
Let me explain how you can implement some security technologies in Public Cloud in simple terms,
If you manage access using Active Directory in your traditional environment then you can continue to use Active Directory within the Public Cloud infrastructure as well. Most of the vendors support Active Directory integration. Alternatively, you can use the Identity and Access Management tools provided by the Public Cloud vendor @ no extra cost.
If you have afirewall to perform Stateful Inspection in your datacentre then you can have the same vendor Virtual Appliance to perform same functionality in the Public Cloud or you can use the similar functionality provided by the Public Cloud vendor, e.g., Security Groups in AWS provides Stateful Inspection firewall capability @ no extra cost.
Logging and monitoring– again Public Cloud vendors provide this capability as a service and you can pay as you go with no long term commitment. Even you have an option to pull the logs from cloud servers/services into your Security event management system running in your datacentre for event correlation and investigation. This is no different to your current logging solution running with your traditional datacentre.
Encryption– I know this is not easy especially with key management. If you have issues with key management in your datacentre then don’t expect the issue to go missing in the Cloud. Most of the major Public Cloud vendors provide encryption capability for both data in transit and data @ rest. However key management is your responsibility, so have a plan to tackle it. If you don’t have a plan then without wasting any minute start working on your enterprise key management plan.
Application Security– First, enforce secure coding practices across your organisation. It doesn’t matter whether you develop application for traditional architecture or Cloud architecture. Second, have a WAF to protect your application from common application threats, most of the vendors offer virtual appliances which you can implement within your Public Cloud environment.
I can add few more security technologies to the list above but I don’t want to. My intention is to provide few examples to explain to people thinking that Public Cloud is not a secure environment for their data.
Here is my top three quick and dirty questions to ask yourself before saying big “NO” to Public Cloud,
Public Cloud vendors hold industry certifications such as ISO 27001, PCI DSS and SOC. How long and how much will it cost to meet these certification requirements for my Private Cloud or datacentre environment?
In Public cloud you can completely automate and orchestrate security functionalities such as applying encryption, firewall rules @ no extra cost. How long and how much will it cost for me to completely automate security functionalities within my Private Cloud or datacentre environment?
What is the risk I am trying to mitigate or reduce by keeping the data within my Private Cloud or datacentre environment? In most cases people just say “NO” to Public Cloud without even understanding their risk and current security posture. So conduct a risk assessment, understand your security risk posture and thenmake an informed decision.
Today’s world is filled with intelligent customers with Smart devices, either you deliver the product which meets customers demand and speed or otherwise you are thrown out of the market. Hence if you want to compete in this fast paced market then I would highly recommend you to select a Public Cloud provider who is capable of delivering first class technology services and applications which you may never get a chance to build within your Private Cloud or datacentre environment.
For small and medium enterprises, moving to cloud definitely provides a Security Uplift and there is no reason to use Security as an excuse for not moving your data to Public Cloud.
Even the Australian government recently announced its Cloud first policy so what are you waiting for?