Cloud security has always been one of the big issues deterring companies from using public cloud vendors. Fears remain that the public cloud may compromise data security and open the doors to a breach. While those fears are not unfounded, the fact is that more than two-thirds of IT teams have deployed applications and storage to a public cloud, according to a new IDG survey.
Clearly, many common security doubts have been satisfactorily addressed. But concern remains. So how confident should you be about public cloud security, and what responsibilities for security remain in your hands?
1. Prepare for More Cloud, Not Less
The first thing to realize is that there will be more public cloud in your future, not less. It is going to be a losing battle to attempt to block all efforts to use public cloud computing services. Mark Bloom, director of product marketing, compliance and security at Sumo Logic, provided a parallel for the inevitability of more public cloud.
“Ten years ago, no one was virtualizing mission-critical workloads because of security and compliance concern, but we ended up there anyways,” he said. “This is exactly the same thing for cloud.”
In this world, speed and time-to-market is everything. Organizations, therefore, are looking to be more flexible, more agile and capitalize on business opportunities. The cloud looks attractive from that perspective. Few will resist.
2. Know that Public Cloud Security Is Very Good
Maybe a decade ago, public cloud security was dodgy. But not today. In fact, it is arguable as to which is most secure — the cloud or an in-house data center. Some would go as far as to say that keeping on-premise data safe is on par, if not more difficult, than keeping data safe in the public cloud.
“The reason for this is the person in charge of security on-premise is not necessarily an expert,” said Michael King, senior director of marketing operations, DDN. “If your data is inside your firewall, you feel as though it’s safer. But the fact of the matter is, when connected to the Internet, no scenario is completely safe. More often than not, the experts at public cloud companies have more resources at their disposal to keep data secure than those on-premise.”
3. Understand Division of Duties
Cloud providers go to great lengths to explain the many amazing security features they utilize to safeguard customer information. This includes encryption, firewalls, anti-malware, authentication, public keys and a whole lot more. But that doesn’t mean they take care of everything — far from it.
Anyone trusting cloud providers to take care of every possible aspect of cloud security is in for a nasty surprise. For example, data may be protected and encrypted once it is locked up safely within the provider’s infrastructure. Yet when in transit to or from the cloud, it may be wide open to danger.
There is no substitute for understanding the provider’s shared security model. In the case of Amazon Web Services, AWS is responsible for the infrastructure, said Bloom. The customer is responsible for the security of everything that runs on that infrastructure — the applications, the workloads and the data.
4. Consider Who Does What
IDC Analyst Deepak Mohan put it another way. In the shared model, Amazon handles the overall security of the cloud, and customers are responsible for the security of their applications and storage in the cloud.
That said, the AWS cloud is designed with security as its highest priority and is designed to meet the highest security needs, he added. For instance, it is accredited with commonly required security certifications such as ISO 27001 and DoD SRG.
AWS offers two levels of guidance to customers that need assistance in security for their applications. The base level is through AWS support, which offers customers tools and resources to identify gaps and meet their security needs. More advanced support is available through the AWS Professional Services group and through the AWS Partner Network for customers with more complex and specialized security needs.
“Customers need to plan for and build in security at the application level,” said Mohan.