What You Should Know About Securing Your Public Cloud — But Didn’t Know to Ask

There’s also a question of ownership: Does the infrastructure as a service (IaaS) provider hold responsibility for cloud server security or is the onus on customers to ensure their servers are locked down in the cloud? The answer is both. However, these tasks have often been managed in-house by a separate dedicated security team and many smaller companies moving to the cloud lack this level of seasoned security expertise. The result is many cloud servers are often deployed with inadequate security controls in place for protecting corporate assets.

Survey Reveals the Most Common Cloud Security Concerns
CloudPassage recently conducted a survey among IT professionals across the country to drill down to their specific cloud security concerns (since general cloud security always emerges as the number one issue when talking about cloud adoption). When asked which area of public cloud security concerns them most, more than half of the respondents called out the lack of network-based security controls such as gateway firewalls and similar systems. The multi-tenancy of infrastructure or applications ranked second (39 percent), followed by provider access to guest servers (24 percent), achieving compliance with PCI or other standards (26 percent) and enterprise security tools that fail to work in the cloud (22 percent).

And, although cloud security concerns are shared across the enterprise, the survey found that 63 percent of IT managers are primarily responsible for raising these issues within their organizations.

Why Current Security Approaches Cannot be Translated to the Cloud Security in the cloud is very different from traditional IT environments. There is no ability to put a firewall in front of your cloud servers, which is the first physical challenge.

Another challenge, which is exacerbated in the cloud, is that the cloud is built to enable a much more dynamic operating environment, where servers are cloned, a company’s pool of servers grows and shrinks, and servers move between clouds — things that are mind-bending to a traditional data center security operations team. Handling the elasticity of the cloud is a huge challenge for firewall management.

Furthermore, when a new server spins up in the cloud, the company’s policies need to be immediately applied to bring it in line from a security perspective. Other servers may also need to know that a new server has been brought online and updated. If, for example, a company brings on a new web server to add capacity, all of its database servers need to be told about that web server so that it can access the data on them.

For all these reasons and more, security for cloud computing requires a new architecture that meets the same business requirements for security that companies have built in their private data centers. System security must be applied at the virtual machine level, with management tools built to handle the dynamic and highly automated nature of cloud. Businesses should take this opportunity to assess their critical security requirements and prioritize deployment of security technologies that will enable their business goals, as well as work across both cloud and traditional infrastructure deployments.

Cloud computing offers tremendous potential for cost reduction and IT agility, and a new IT ecosystem is quickly emerging that works in both the new and the old worlds. Take advantage of it.

Three Steps For the Smart IT Manager to Secure Cloud Deployments

1. Start with public cloud. If your company is planning to use IaaS in general, and thinking about security and operations, consider starting with the public cloud first. If you can create an environment in the public cloud that meets all of the operational and security needs that you have, then it is very easy to bring that into a private cloud or a hybrid environment. If you think about the security challenges of private clouds first, you are apt to do something like install hypervisor-based security, which for all intents and purposes is just another network-based perimeter similar to what people have in their private data centers; it doesn’t translate to the public cloud.

2. Enable your organization to adopt these new technologies, but educate your employees about their responsibilities. The barrier-to-entry for public cloud services is very low, sometimes free, and people are beginning to use them because they help them get their job done. It is going to be impossible for IT to stay ahead of all trends and technologies at the current pace of innovation, and thus, it is counterproductive to try to prevent your employees from using them. Recognize what is happening and make an extra effort to educate people about what they need to consider if they “take IT into their own hands.” Starting with security, they should, at minimum, understand the differences between running in a company-managed data center versus running in a public cloud service.

3. Trust, but verify…okay, maybe you won’t trust, but definitely verify. Be familiar with the latest trends in technology and keep an eye out for where they may be gaining grassroots adoption. With mobile devices and remote workers, it is difficult to police external services at the corporate border. Scan expense reports for recurring charges, look at internal discussions about unknown services and reach out to the providers of these services as well as your internal users to see what can be done to enable and encourage business use…safely.