In recent years, a mass exodus has been taking shape as enterprises move their data away from in-house servers towards the cloud. This is a logical step for businesses that simply can’t, or don’t want to deal with the expense and the physical space that such servers usually occupy. The potentially limitless opportunity of cloud platforms promises unprecedented operational efficiency, flexibility and profitability. As in inevitable progression for data access, the obvious next question for the cloud is, is it safe?
An Introduction to Cloud Infrastructure Security
In simple terms, cloud infrastructure refers to all of the hardware and software components that comprise a cloud computing solution. This includes the servers and storage hardware, as well as the physical network and virtualisation software that allows each physical server to run several individual computing environments. But what is it that makes this relatively straightforward infrastructure so potentially unsafe?
It could be argued that it’s the very nature of the cloud that makes it unsafe. The recent hacking scandals probably don’t help matters when it comes to public perception. The fact of the matter is, data stored on a public cloud is always going to be less secure than data stored on a segregated, on-premises server. Nonetheless, concerns about security should not and will not stand in the way of progress.
A recent survey found that around 83% of enterprise workloads will be hosted on the cloud by 2020. But with cases of cloud data being compromised in everything from marketing and healthcare to politics, how should businesses and data centres alike be securing their cloud infrastructures?
Securing Your Business
The cloud is a lucrative target for hackers of all persuasions. We’re not simply talking about consumer data and finances, but intellectual property and critical trade secrets that could sink entire companies if they were leaked. As such, the business of cloud infrastructure security has increased tenfold in recent years. Google is doing its part using shielded virtual machines on their cloud platform that have been hardened by a set of security controls to defend against rootkits and bootkits.
However, it’s important to understand that a large portion of the responsibility falls not only on the cloud service providers (CSPs), but on the businesses themselves. Of course, the providers and data centres will have taken all of the necessary steps to cover all necessary ground, but there also needs to be a certain amount of preparedness from the enterprise side too.
Before even considering a cloud solution, Telehouse has listed a few things you should consider when securing your business:
1. Your data encryption capabilities.
2. The privacy controls on who is allowed to access your data and how long it can be used and stored for.
3. The data security measures currently in place, which is particularly relevant in a post-GDPR world and when utilising a public cloud where it might be unclear just how segregated your data is from other systems.
4. The maintenance and management acumen of the CSP.
Best Practices for using Cloud Infrastructure security
Cloud infrastructure security needs to be a combined effort between the CSP and the enterprise. It’s also important to realise that different rules apply when securing cloud infrastructure, as you’re essentially attempting to secure something that nobody has any real physical control over.
When planning your security strategy, both you and CSPs have items to consider.
Considerations for Enterprise:
1. Always start by considering how your data is secured in your on-premise servers. Note the various checks and balances and consider how you might replicate them in the new cloud infrastructure.
2. Next, evaluate the resources required to help you integrate your cloud strategy, such as the people, tech and processes. Holistic, end-to-end security that spans from the data centre requires people both within the CSP and the enterprise itself who can support current and future infrastructures. These processes need to be clearly assigned to either the responsibility of the CSP, or the Enterprise.
3. Always partner with a CSP that has a stringent security policy already in place.
4. Seek out security tools designed to help you identify the areas that the CSP can’t or won’t address. Even the largest of companies (Amazon Web Services, Google Drive and even Intel, for example) are not immune to hacks, so always make sure everything is secure on your end first.
5. Make sure that all sensitive data is encrypted before uploading it. Even if the CSP offers encryption as part of their service, you can never be too safe. Encrypting data ‘at rest’ is also the only way you can confidently comply with privacy policies, regulatory requirements and contractual obligations for handling sensitive data.
6. All end-user devices should also be secured via endpoint security solutions and firewall security to secure your network perimeter.
7. There should be a data retention period for any sensitive customer data. Introduce a policy that removes the sensitive that data programmatically when the period has ended, according to GDPR regulations.
8. Private clouds that are only accessed by one enterprise on a private network will obviously be more secure than public clouds, though they are far less flexible and more expensive. A good compromise is to use a hybrid cloud system, which uses a private cloud for sensitive and business-critical purposes, and a public cloud for high-demand and less mission-critical data.
9. Establish and maintain security policies by designing guidelines to be promoted and enforced within your Enterprise.
10. As well as encrypting data, clouds can also use cryptographic protocols to secure browser access to the customer portal and to transfer encrypted data. SSL protocols must be used to enable applications to communicate throughout the cloud while preventing tampering.
Considerations for your CSP:
1. Thorough vulnerability testing should be employed by your CSP. How often these tests (that scan for and fix system weaknesses) are required will depend on the network, but it could be monthly, weekly or even daily.
2. Insist on compliance certifications from your CSP. These include PCI DSS and SOC 2 Type II certifications, which are only rewarded after the provider has undergone a detailed auditing process. The former relates to how sensitive data is stored, processed and transmitted, whilst the latter confirms that the cloud service is specifically designed and rigorously managed to maintain the highest level of data security.
3. The CSP should provide role-based access control (RBAC) to allow customers to set user-specific access and editing permissions for their data.
A Secure Future
Security professionals remain sceptical about how secure cloud infrastructure can actually be, but as we are seeing that’s not going to stop the wheels of progress.
Whilst you can mitigate certain security risks by using a CSP with a good security track record, there needs to be a fundamental revaluation of how enterprise IT teams approach their data security if they are to fully embrace the cloud. There have been many cases where IT teams scramble to implement remedial measures once they’ve realised they are no longer in control of their own data, putting themselves in a comprisable position.
In order to utilise the potential of the cloud, analyse the potential risks involved and put measures in place without complicating the process. Of course, most enterprises will naturally focus their IT resources on keeping systems operating at optimal performance, but time and budget should always be set aside for security, particularly in the current climate.
It’s a tricky balancing act, for sure, but if it’s perfected then an incredibly bright and secure future in the cloud awaits.