In the early days of Cloud adoption, Security was the #1 concern in moving production workloads and their associated data to the Cloud. The idea of moving corporate data beyond the four walls of the corporate Data Center was perceived as a big risk because of the uncertainties and undefined or under-defined security policies and practices. Add to this the notion that it seemed we needed to physically see the lights blinking on the systems and storage media to know our systems were well protected from any outside threats. So, we dabbled with dev/test and other non-production systems and small amounts of data, but we were very cautious about moving our production systems and data stores to the Cloud, believing that our own managed firewalls and other network specific tools were the best way to insure against any data breech, malware attack, etc. There was no way were we moving our mission critical data to the Cloud!
While Security still remains a concern today, we’ve seemed to move past it as the #1 concern and companies are moving all kinds of workloads and data to the Cloud. So, what’s changed? To start with, please accept that the big picture of Security revolves around three basic tenants: Physical Security, Organizational Security, and Data Security. While data security gets all the attention because that’s were the pain of the breach is ultimately felt, I would suggest that physical and organizational security lapses can, in turn, open the door for data breaches or system compromises both from internal and external sources and so we need to address all three components and develop a comprehensive security strategy.
Let’s consider Physical Security first. For the most part this revolves around doors and locks and security systems of all types that protect against the physical entry into the space where systems and data are stored. While larger enterprises that operate their own Data Centers may have the resources to implement biometric entry locks, mantraps and other devices, and implement processes to effectively control the physical security of the space where the data is housed, most SMB and even many enterprise businesses may not have the resources. To the degree they do not, this opens the potential for unauthorized access to the physical spaces which may allow for either physical damage to the technology assets and/or an avenue with which systems could be directly accessed to release malware or extract corporate data. Having said that, Physical Security may be the easiest of the three components for Cloud providers to address. Most (not all) Cloud providers are now housed in structures that are indeed physically secure with all the devices, surveillance technology and policies and procedures in place to certify their auditable compliance to physical security measures. Physical Security has evolved over time and is arguably much better than what the vast majority of corporate owned Data Centers can provide and far better than what virtually all SMBs can afford. So, Physical Security in the Cloud is being effectively addressed by most Cloud providers.
Let’s consider Organizational Security next. The approach to Organizational Security is not quite as cut and dry as the approach to Physical Security. Organizational Security, at its root, attempts to put guidelines around the behavior of people. It defines operational guidelines and/or mandates for what people can and cannot do as it relates to their interaction with computer assets, both from internal and external entities. While it’s extremely difficult to be able to address the behavior of individuals (especially those wishing to compromise your computer assets), there has been a lot of good work done in this area in defining, certifying and enforcing auditable compliance with operational guidelines and mandates via SSAE-16, HIPPA and other compliance requirements standards. Cloud providers are very focused on putting these auditable compliance requirements in place in order to address the concerns of their new and existing customer base for at least two reasons. First, without these operationally compliant processes in place, they would attract fewer customers and/or lose existing customers and market share. Second, should a breach or compromise occur in their Cloud environment, it would both destroy their reputation (high business impact) and (depending on the type of breach) may even make them culpable for some portion of the resulting damages to the affected customers. Therefore, Cloud providers spend a lot of money in order to put these operationally compliant processes and procedures in place and to insure their auditability for the sake of both their tenants as well as their own business operations at large. While these compliant operational policies and procedures are continually evolving (a good thing), this is certainly a huge step forward from the early days of Cloud adoption. The auditable, compliant operational processes are in place and are being enforced by Cloud providers at significant expense that they in turn spread across their tenant base. The cost to each of the customers is miniscule as compared to what each customer would spend to implement the same in their own managed environment. So, Organizational Security has changed and continues to change for the better.
Finally, let’s consider Data Security. As stated previously, this is certainly the area that gets most of the attention. While I certainly do not want to rehash all that’s been written about this topic, I’d like to offer what I think to be a common sense view. First, let me say that absolute Data Security is never really attainable. (I hope you don’t find that shocking.) It is, however, something that we should relentlessly pursue, to be sure! Second, whether the computer systems are on-premise or at some external location (Cloud or other), it’s vulnerable to compromise from the same or similar forces. How we address those compromising forces may be different depending on where those systems are (Cloud, on-premise, other), how they are connected, to what they are connected, how they’re architected, etc. We’ve actually made a lot of progress in the area of Data Security over the last decade or so and I would argue that it may be the popularity of Cloud adoption itself that continues to fuel this progress.
Gone are the days where we could address Data Security by the use of firewalls and DMZs alone. In today’s world we must address security in a comprehensive fashion – physical, organizational and through all the levels of the technology stack. For Data Security we must consider everything from hardware security to network security to hypervisor security to OS security to database security to application security and including all the micro levels in between. Each has to be developed, monitored and managed with security in mind. This is a big deal and no easy task to accomplish. There have been security tools around for many years that address security at the network and OS level – firewalls, AV, patch management to name just a few. While these tools will need to continually evolve and will play a “first line of defense” role, it’s not until we begin to develop off the shelf and custom applications that are security aware that we will begin to close the loop in pursuit of the illusive “secure system”. This is true regardless of where the systems are located – Cloud or other. It is the wide adoption of Cloud computing that is providing a catalyst to design and develop advanced security tools and security aware applications, etc. to provide for a comprehensive way to address our security concerns.
If you’ve already moved workloads to the Cloud or are thinking of moving new or other workloads to the Cloud, I would offer a couple of thoughts for your consideration:
- The Cloud is not totally secure, but neither is your own data center. Depending on the Cloud provider, the Cloud may indeed be more secure in terms of physical, organizational and data security than your on-premise environment because of the security measures that the Cloud providers can afford to put in place and their auditable compliance to industry accepted operational procedures. Nevertheless, choose your Cloud provider wisely!
- Security and Compliance are shared responsibilities between your company and the Cloud provider. It does no good for the Cloud provider to have all the tools, policies, and processes in place if your infrastructure architecture and/or application designs themselves are vulnerable to attack. Work with your Cloud provider to identify your combined security needs and what tools, processes and procedures each of you will put in place to address these needs. Also, understand what actually happens should a breach occur and be sure these action meet your business, technical and legal requirements.
A lot has changed in terms of Security in the Cloud and the movement to the Cloud will continue to be fueled by the business agility and cost savings that the Cloud can potentially provide. See – Cloud Computing is a means to an end; it’s not the end goal. Choose what workloads you migrate to the Cloud and your Cloud provider wisely. Ask the right questions. Set expectations for security with both the Cloud provider as well as your own business leaders. Remember security in the Cloud is a shared responsibility. In short, don’t move to the Cloud without a well thought out goals and a strategy to accomplish them. Keep Security as a prime concern that must be effectively addressed, but don’t make it an inhibitor in moving to the Cloud. That is what has changed!