Assessing Public Cloud Security: Risk vs. Reward

Gartner projects that public cloud computing will grow by 17.5% in 2018, by market revenue. The number of enterprises opting to employ public cloud services—and therefore needing to learn about public cloud security—is growing at a rapid clip. The chief benefit driving that growth isn’t cost savings. Cloud computing’s primary advantage is that it gives you the option to scale upward and downward in minutes. It gives your business instant agility to spool up server, storage, networking, and database services on a whim to take advantage of a business opportunity. Or to react to a competitor’s move.

As important, however, is understanding that cybersecurity must be thoroughly understood by all stakeholders in the adoption of the public cloud. Most cloud experts agree that the major cloud-computing providers—such as Amazon AWS, Microsoft Azure and Google Cloud—deliver top-notch security. Some pundits believe that the public cloud vendors deliver a consistent level of security that’s better, on average, than that of the typical on-premises data center. But such generalizations can confuse the issue by obscuring who is responsible for what when it comes to security in the public cloud.

The shared-security model

Public cloud uses what’s known as the shared-security model. Amazon, Google and Microsoft all start with this premise. It means that your cloud provider is responsible for one part of the security, and your organization is responsible for another. Amazon, for example, describes this as the difference between “the security of the cloud” and the “security in the cloud.” In other words, Amazon’s part of the shared security is the infrastructure underlying the cloud service itself. It protects the hardware, software, networking, and facilities that generate the AWS cloud services. The enterprise customer’s responsibilities vary depending on the Amazon products selected, but they include all the software running in the cloud instance, including encryption, operating system, firewall, platforms, and applications.

Given that an on-premises data center requires your tech staff to handle all the security, the shared-security model can seem like a bargain at first. However, on closer inspection, your tech people will realize that the way the public cloud is architected means that security is handled differently than it is on the servers they have been working on for years. To do the job correctly, they are going to have to learn the new architecture.

“It is important that the IT and security staff look at the public cloud holistically, learning and understanding how it works, what is and isn’t enabled by default, what the exposure is,” said Matt Keil, director of product marketing manager, public cloud, Palo Alto Networks. “Yes, the underlying technology is like that of a data center, but where it gets sticky is when a data center expert assumes he or she can merely duplicate what they did on premises.”

The three major public cloud providers offer documentation on how to secure your cloud environment, but it’s not going to be specific to all your applications and other software. So, there’s a learning curve. Also, each cloud vendor does things a little bit differently. They all use a shared-security model, but each is implemented in its own way—meaning that the security knowledge doesn’t fully translate from public cloud to public cloud. Bottom line: the way that public cloud is secured requires a change of mindset. Company leaders will need to invest time and money to retrain their personnel. It’s not a challenging transition; but creating an excellent security posture will take time to research and implement.

Cloud security pros and cons

The Cloud Security Alliance (CSA), a non-profit organization, is a good resource for your security pros to evaluate the security of various vendor cloud solutions. It publishes a comprehensive document called the Cloud Controls Matrix. What does the CSA think the pros and cons are of securing public cloud?

Vincent Campitelli, enterprise security specialist, CSA, offered this: “Many of the risks associated with public cloud-acquired IT services are essentially the same as on-premises data centers. There are only two potential differences: One, the inherent risk associated with contracting a third-party to manage your IT assets, and, two, the competence and efficiency of the organization’s personnel.”

James McDonald, president, Contino, a global DevOps and cloud consultancy, sees only upside to moving to public cloud. “Enterprises are more secure operating in the cloud than they are managing their own on-premises data centers,” he explained. “Why? For three simple business reasons: First, the security posture of cloud providers takes a world-class ‘defense in depth’ approach; second, cloud providers are incentivized to protect their customers at massive scale, which requires a level of cybersecurity expertise that enterprises simply could not implement; and, third, frequent auditing and security operations certifications are required for cloud vendors and are publicly available.”

5 key points for CEOs

1. Your security people should be involved with the public cloud process from day one.

2. Your data should be encrypted in the cloud.

3. One of the dangers of adopting public cloud is backing into a scenario where you’ve got a very complex, multiple-cloud platform environment that is difficult to secure. Someone, or a small team, should be aware of all cloud implementations. For guidance on next-steps, see Cloud First, Now What? from Palo Alto Networks and the Cloud Security Alliance.

4. Your best defense against security breaches and other calamities is a regular audit of your security posture. While you can hire outside companies to do this for you, the better approach is probably to acquire cloud-security monitoring software from a reputable vendor.

“Once-a-year assessments [by third-party security testing companies] are invalid as soon as they finish because things change so fast,” said Ganesh Krishnan, former head of security at LinkedIn, Atlassian, and Yahoo. “The ideal cloud-security tools are those that help you continuously monitor and assess the cloud infrastructure environment to prevent attacks.”

5. Some public cloud providers might offer features designed to help you comply with the GDPR, the European Union’s General Data Protection Regulation, which goes into effect this May.

The primary advantage of public cloud is business agility. Not every company needs it, but finding out you need it later can be a serious thing. Assess and be sure. But if, as more and more companies seem to be deciding, utilizing public cloud services could improve your business, invest in the training necessary to secure the new environment.