With the move from in-sourced systems and legacy data centres to cloud based services well under way, businesses are faced with the need to understand and effectively manage a new set of risks and security challenges that come with the delivery of services from outside the traditional security model.
Although some industry analysts such as Gartner’s Jeffery Wheatman assert that “the dynamic nature of the cloud, coupled with a lack of customer ownership of infrastructure and limited transparency, has essentially broken the traditional security models and architecture,” the reality is not quite so bleak.
Organisations, including both financial institutions and government agencies, with robust risk management capabilities have been among the first to begin large scale migration to cloud services.
Their ability to effectively evaluate the actual risks, ignore the hyperbole and develop appropriate mitigation strategies and controls has allowed them to take advantage of these new delivery models far faster than organisations that are yet to get past the initial data sovereignty issues - or the assumption that cloud is somehow “less secure.”
These organisations see cloud as an extension to their existing security model, not as a wholesale replacement.
Safer than on premise?
Security is a frequent cloud service objection and yet the reality is that cloud services can be at least as secure as on premises models - and in many cases provides significantly higher levels of security, visibility and reporting than most organisations can achieve from their legacy systems.
Cloud service providers are able to invest significant resources to the provision of multi-layered security controls and are able to hire highly skilled security resources that many organisations could not afford or be able to justify on a workload by workload basis, because the cloud provider can amortise this investment across multiple clients.
The standardisation of services and continuous monitoring and maintenance of cloud infrastructure eliminates many of the risks that occur in traditional deployments as a result of wide variance in configurations, and unpatched / unmaintained systems.
Investing in security architects
The investment in highly skilled security architects, the provision of Security Incident Response teams and 24x7x365 monitoring and support means that for many organisations, their overall risk exposure is reduced as they migrate to the cloud. An added benefit of the orchestration and automation capabilities that are critical characteristics of true cloud services, is that access to role based administrative controls and detailed audit logs of all changes in the environment provides a level of visibility into the environment that was not previously available.
Additional controls within cloud services such as 24x7 monitoring, intrusion prevention, denial of service (DoS) and regular systems penetration tests all contribute to the high level of security expected of cloud services, while services that enforce multi-tenanting separation in the orchestration layer as well as options for encryption and private network connections to the cloud all contribute to the “security in depth” model that reduces the overall risk for your organisation.
Key factors for peace of mind
Here are some key factors to consider before moving to the cloud to ensure your business is confident in its transition:
How clearly defined is your cloud service provider’s security model and how will this integrate with your existing processes?
Wrapping a virtual perimeter around sensitive data in a cloud environment isn’t true “security.” Your provider should have an approach to securing each layer of the cloud environment, including infrastructure, operating system, application and network.
Organisations consuming services from the cloud should be able to leverage the investments made by the cloud service provider to improve their overall risk position – not to replace it.
Is your cloud security strategy simply an extension of your on-premises strategy?
Because cloud environments are much more dynamic than on-premises infrastructures, security approaches need to provide automated adaptability to respond to changing demands.
The impact of systems and processes including incident, change management and problem management must be understood and modified to ensure that they are still effective when some services are delivered from outside the traditional internal data centre.
Can you customise your cloud environment to meet your unique security specifications?
The cloud platform you select should offer a fully managed, secure foundation upon which to establish and grow your cloud strategy. From physical security to network separation, does your cloud provider offer a foundation that meets your needs today and offers options as you scale?
The challenge here is to effectively leverage the investment that the cloud service provider makes into the fully managed, secure services without asking for changes for convenience that may impact the overall risk position.
Some cloud service providers will allow clients to encrypt their own data and maintain the encryption keys themselves as well as offering private network connectivity for organisations that prefer not use the internet as the delivery mechanism.
David Hanrahan is the general manager of cloud services at Dimension Data.