Security, Cloud

Like cloud computing itself, cloud security can mean lots of different things. Since there is no singular way to define “the cloud,” there is no one strategy for making sure that apps running in the cloud are secure.

Still, whatever your cloud looks like, there are general practices that you can follow to ensure that your cloud infrastructure is safe from security vulnerabilities. Some of these tips overlap with best practices that apply to any type of infrastructure. Others are specific to the architecture of cloud environments.

Here’s an overview of what IT professionals today should know about cloud security, broken down according to different types of cloud environments.

All clouds

For starters, let’s take a look at the security concerns that apply to virtually all types of clouds. They include:

  • Data is transferred over the network. In almost any type of cloud-computing environment, the network serves as the workhorse that transfers information between the cloud where it is hosted and the endpoint where users exist. This is a security concern because putting data on the network creates a large, complex attack vector, which would not exist if all computing were done locally. To reduce this risk, cloud admins should use encryption and network monitoring tools, and ensure that their network infrastructure itself is secure.
  • Information is decentralised. Under most cloud configurations, data is spread across a large number of physical or virtual servers. This decentralisation of data makes it more difficult to monitor information and detect possible attacks. It’s not impossible to keep cloud data secure, but it requires a more complex and broader security-monitoring strategy than would be necessary for securing information on a single local device.
  • Environments change rapidly. One characteristic that makes the cloud attractive is its ability to scale. New virtual servers can be spun up quickly. Devices can connect to and leave a cloud network at will without affecting the reliability of the core infrastructure. However, these advantages also mean that the makeup of most clouds changes rapidly. And since rapidly changing environments are more difficult to secure than ones that are relatively static, organisations need to address this variability when developing their cloud security plans.

Public clouds

Public clouds are those where computing is performed or data is stored on servers not directly controlled by the organisation that uses them. For example, if your company buys access to servers on Amazon’s AWS network or Microsoft Azure, it’s using a public cloud.

The public cloud presents special security considerations. They include:

  • Third parties control your data. All major public cloud providers strive to ensure the security of the data entrusted to them. But placing data in the public cloud still requires giving up direct control over it. This can be especially problematic if compliance policies at your organisation prohibit the storage of sensitive information on third-party servers.
  • Shared security model. Most public cloud providers have a shared security model that you need to be aware of. The provider is responsible for the global infrastructure including, compute, storage, databases and networking and the customer is responsible for everything else inside the infrastructure. There is no single reference architecture that fits all security requirements, but providers often have tools to help customers secure their assets. Customers need to architect and design to safeguard systems and make use of the security and logging tools to aggregate the data to continually analyse and respond to incidents. Making use of infrastructure as code to build out the infrastructure and deployments in a consistent way and allows customers to embed the provisioning of these resources in a compliant fashion to ensure the systems and network configurations are always security hardened.  Nowadays with the uptake of serverless technologies, it allows customers to have ‘no-ops’ functions to respond to and remediate incidents.

Private clouds

In private clouds, organisations run their own cloud servers. Private clouds can mitigate the security concerns associated with public clouds, but they’re not free of potential vulnerabilities.

Private clouds are subject to the following security challenges:

  • Lack of patching. If you run a private cloud, it’s up to you to make sure that all of the servers and software running on it are up-to-date and patched against known security vulnerabilities. This can be challenging without the right plan and personnel, since the software stack required to run a private cloud is complex. You have to secure not only the bare-metal servers that form the foundation of the cloud, but also the virtualisation software that runs virtual servers, the operating systems, the individual cloud apps, and so on.
  • Malicious employees. An unhappy employee is bad for your company in any situation. When you set up a private cloud, however, you create a place where a malicious employee with access to the cloud could wreak major havoc, since the private cloud is likely to be essential to your business’s operations. There’s no sure-fire way to prevent this risk, but it is one you should keep in mind.

Conclusion: cloud security is difficult

Perfect security in the cloud or anywhere else is impossible. But the complex nature of most clouds - whether they are public, private, hybrid or something else - can make it especially difficult to secure cloud environments.

That’s why Contino recommends against trying to do it all on your own. Instead, take advantage of the support you can get from a provider like Contino, in order to ensure that you can make the most of the cloud without risking security.