Obviously, this is a hot topic. But it’s also a massive and complex topic. As such, I’m going to focus on high-value targets, such as dispelling common misperceptions and recommending various security options and best practices.
People tend to fear what they don’t understand, and many people simply don't understand in detail how public clouds work. As an analogy, do you understand in detail how your bank keeps your money safe? Most likely, you feel pretty confident given what you’ve seen on TV: bank vaults, security guards, emergency buttons under the tellers' counter, etc. And you also feel good when you see “FDIC Insured” on your bank’s office or website.
Let’s take the bank analogy further. A bank is a multitenant environment; you store your money there, along with many others. Your bank account is like a public cloud account or subscription. You access and control your bank account over the internet, just like your cloud resources.
Hackers have repeatedly and successfully targeted banks and stolen plenty of money, just as hackers have successfully targeted other online properties. Yet, the vast majority of people trust that banks are secure. But many have doubts about security in the public cloud. As you’ll see throughout this blog post, I contend we all have good reason to trust the public cloud providers — at least as much as we trust our banks.
The important distinction between banks and the public cloud is that if the bank is robbed or hacked, your money will most likely be safe because it’s insured. And, after the robbery, you can go on with life without concern for ongoing harm related to the theft — your account balance is unchanged.
What we store in the public cloud, however, is data. And herein lies the important distinction: Data is much more complex than money. If a hacker steals your data, you can never get back the hacker’s copy of that data. What’s the value of that data? How much harm could be caused by hackers using that data? How many people or customers would be impacted, and for how long? Will your business survive the theft? Those are scary questions, so no wonder people are concerned about cloud security.
It only makes sense why these people are worried about putting their data in the public cloud. As the surveys mentioned above reported, many people think it’s safer keeping their data on premises in their own data center. But, if your data center isn’t thoroughly locked down, or if your security practices are lax, keeping your data on premises is probably no safer than keeping your life savings under your mattress. Is that where you keep your money?
It’s worth asking, "What are the most common causes of security breaches?" An authoritative answer can be found in the Open Web Application Security Project (OWASP) Top 10. For the sake of brevity, here’s the top half of the list:
Or look at a few of the top 6 causes of security incidents from another source:
We could keep going, but are you seeing anything about the cloud in these lists? The point is, not a single one of the causes of security breaches has anything to do with the cloud. Rather, most of them can quite simply be classified as lax security practices. Either these companies aren’t aware of security best practices or they aren’t diligent in following them.
OK, so let’s take a different tact and focus specifically on the cloud. In an article from CSO about the Cloud Security Alliance’s “Treacherous 12” cloud computing threats, here are the top five from the list:
To summarize at a high level, the article states that the cloud offers some new potential attack vectors and that if a public cloud was hacked, it could cause serious damage. That’s completely true, and scary.
But I also agree 100% with an InfoWorld article entitled “For Cloud Security, It’s Not the Hackers You Should Fear.” You should fear businesses that don’t take the time and effort to secure their applications, whether they’re in the cloud or not. The point is clear: Wherever you host your applications and data, on premises or in the cloud, you need to follow security best practices in order to protect your data.
Let’s take a closer look at security in the cloud.
Does your data center have physical security measures that are comparable to well-established hosting providers, or to the public cloud providers? Are armed guards at your data center? Does your data center pass all of its physical intrusion tests? Does your company even do physical intrusion tests? Can your employees easily access data within the data center, or is access restricted?
I’ve toured an Azure data center in person, and you can tour one online. The facility was totally locked down and run by a skeleton crew of very well trained staff for their respective jobs. They said there were only around 10 to 12 employees there, and the majority were armed security people.
There were only a few employees monitoring the data center infrastructure, and none of them had access to any data stored in the facility. The workers can’t even get access to data unless a customer explicitly grants them access for troubleshooting purposes, and the duration of that access is very short-lived.
Microsoft takes securing data so seriously that they don’t even allow hard disks to leave the facility. Instead they grind them into dust on-site, and only their dusty remains leave the data center.
In short, public cloud data centers are quite secure. But practically speaking, that’s the easy part of securing the public cloud.
Obviously, the public cloud is a massive target for hackers, and it’s a safe bet they’re constantly trying to break in. But lots of sites are getting hacked all the time, so what makes the cloud so special? Is it easier to hack into the public cloud than other sites?
Public cloud providers such as Amazon Web Services (AWS) and Azure invest heavily in securing their respective clouds. Their very existence depends on it. Just imagine the ramifications if there was a security breach in the public cloud whose root cause was lax security by the cloud provider. Such an incident would crush everyone’s confidence in that provider, and there would be a mass exodus. It might even have a ripple effect that would impact other cloud providers as well.
Cloud providers simply must invest heavily in hiring top security talent to secure their clouds. Still, I don’t envy those security experts who are busy securing the public cloud. Talk about a tough job that could keep you awake at night.
If you take a step back and think about it, there are only a few things that make the public cloud a larger attack vector than on-premise or private hosting options.
For a more complete perspective, let’s contrast those potential attack vectors with some areas where the cloud providers try hard to reduce security risks.
When all is said and done, your cloud resources will only be secure if both you and your cloud provider follow all security-related best practices. The cloud provider must secure its data centers, its cloud infrastructure, its cloud fabric, and its cloud services and APIs. On top of that, you must secure your cloud networking, storage, compute resources, applications, data and identity. If you both do your part, you’ll make it tough for the hackers.
So do your part. Read your cloud provider’s security recommendations and follow them. Use the tools and technologies available to you to secure your cloud resources. Secure your user accounts with multifactor authentication. Lock down your networks, subnets and ports, and leverage firewalls. Grant minimal access to cloud resources, etc. Bring in experts to help you migrate to the cloud, or to review your cloud implementation. In short, take the time and effort and spend the money to protect your data and avoid becoming the next hack.
Cloud security remains a hot topic and a big concern for those considering a move to the cloud. And so the question remains: “Will we really be secure in the cloud?” The answer is it all depends on you. From a security perspective, deploying your applications to the cloud is no riskier than deploying them on premises. You just need to follow all of your cloud provider’s best practices, and then you can safely enjoy all of the advantages of moving to the cloud.