More and more organizations are now entrusting their IT resources and processing to the cloud. This trend is likely to grow in the coming years. To illustrate, Gartner predicts that cloud data centers will process 92 percent of workloads by 2020. Cloud workloads are expected to increase 3.2 times in that same span of time, Cisco forecasts.
With migration on their minds, many organizations are beginning to wake up to the security challenges of hosting their data in the cloud. Some might be struggling to identify who’s responsible for their cloud security under the shared responsibility model with their chosen cloud service provider (CSP). Others might be looking to OneLogin and worry about falling victim to a breach that compromises their cloud-based data, not to mention succumbing to other threats that jeopardize their cloud security.
These concerns are all valid. But while cloud security does have its challenges, it’s not impossible to figure out.
Australian web security expert Troy Hunt recommends that organizations begin by not thinking about cloud security in a binary mode. He recommends adopting a conceptualization that involves “differently secure” aspects of the cloud as opposed to elements that are “secure” or not. The same goes for securing the cloud versus securing physical hardware and datacenters.
“On the one hand, you may hand over physical control, but on the other hand, you’re almost certainly doing so to an organization better-equipped to manage computing environments than your own,” Hunt observes. “Then there are concerns around the increased attack surface of putting services in the cloud, but there’s great things that can be done with virtualized networks and access to features that were previously cost-prohibitive for many organizations (WAFs, HSMs, etc.). So think of the cloud as ‘different’ and make the most of those hybrid scenarios where you can gradually move assets across in a fashion that suits your own organization’s comfort level.”
The cloud is certainly different from on-premises resources, so it makes sense that security would be different, too. It follows that organizations must sometimes rethink how they’re currently doing things with respect to implementing security in the cloud.
Adrian Sanabria, Director of Threatcare, says it’s not possible for companies to just “lift and shift” to Amazon Web Services (AWS) or Microsoft Azure without inviting a very expensive disappointment. Instead they must pay attention to the differences and use them. With that said, one of the most important differences in the cloud for Sanabria is the management plane:
“Since everything in the cloud is virtualized, it’s possible to access almost everything through a console. Failing to secure everything from the console’s perspective is a common (and BIG) mistake. Understanding access controls for your AWS S3 buckets is a big example of this. Just try Googling “exposed S3 bucket” to see what I mean.”
Consoles aren’t the only factor that separate the cloud from physical hardware. Craig Young, a security researcher with Tripwire’s Vulnerability and Exposures Research Team (VERT), says the ways in which organizations can choose to process data in the cloud also stand out:
“Cloud service providers allow customers to build complex private network environments suitable for processing even the most sensitive data. The confidentiality of this data rests on security controls unlike those commonly used on-premise, and a slight mistake can ultimately expose this sensitive data to the public Internet. Network administrators need to keep a close eye on the external view of all IP space allocated for their cloud. Vulnerability scanners like Tripwire IP360 make it easy to recognize exposed services and close them up before attackers can exploit them.”
Understanding how cloud security differs from datacenter security is crucial for organizations. They need that knowledge not only to migrate to the cloud. It’s also essential for companies to implement security controls once they’ve completed the move.