The main public cloud providers have demonstrated success at keeping their services resilient and available, showing no signs of buckling under attack. Indeed, the question of whether clouds are secure now has an answer: yes.
However, provider-supplied security differs between Infrastructure-as-a-Service (IaaS), Platform-as-a-Service (PaaS) and Software-as-a-Service (SaaS).
SaaS is generally the biggest challenge, representing most of an organisation’s public cloud use and at least 90 percent of their cloud vendor management efforts. Large enterprises typically have 20-900 SaaS vendors, yet only 1-3 IaaS vendors. The problem with having so many vendors is that organisations have less visibility into user activity and less ability to impose policy.
The cloud reduces the scope of required traditional security work, but doesn't eliminate it. Moving workloads to the cloud doesn't automatically make them "more secure."
The popularity and demonstrated security competence of cloud service providers doesn’t absolve security leaders of their responsibility to actively manage cloud security. Security in the cloud is a shared responsibility.
Regardless of the type of cloud model, identity and access management (IAM) and data security are always customer responsibilities.
Gartner expects that by 2018, the 60 percent of enterprises that implement appropriate cloud visibility and control tools will experience one-third fewer security failures.
Follow these seven recommendations to develop effective security strategies for existing and planned utilisation of public clouds.
1. Incorporate appropriate IAM
Incorporate appropriate IAM from the outset, ideally based on roles, especially for administration duties. Customers, not the provider, are responsible for defining who can do what within their subscription.
2. Isolate data at rest with encryption
Providers have a vested interest in maintaining strong isolation between routine maintenance procedures and customer data, and between the customers themselves. Encryption is a useful tool for creating logical isolation from other data centre tenants, for enforcing classification policies and for ensuring digital shredding at end of life.
3. Segment and contain traffic with virtual network and filtering controls
For IaaS, segment and contain network traffic using the provider’s virtual network and filtering controls as a minimum. Subnets within virtual private clouds can declare whether instances have Internet, VPN or no external access at all. Network access control lists also define permitted and blocked inbound and outbound traffic.
4. Establish a security control plane
Use third party-tools to establish a security control plane to achieve better visibility, data security, threat protection and compliance, as well as to automate security configurations.
5. Take full responsibility for application and instance security
Providers take no responsibility for the security of application code that customers develop and run in clouds. Use static and dynamic testing tools to identify and remove application vulnerabilities. For cloud-based workloads, consider using cloud-based testing tools.
6. Backup all data in a distinct fault domain
To spread risk most effectively, back up all data in a fault domain distinct from where it resides in production. Some cloud providers offer backup capabilities as an extra cost option, but it isn't a substitute for proper backups. Customers, not cloud providers, are responsible for determining appropriate replication strategies, as well as maintaining backups.
7. Investigate potential of being "compliant by inclusion"
Many larger providers routinely undergo various compliance audits, which serve as signals to customers indicating the seriousness with which providers regard security. Leverage the benefit of being "compliant by inclusion" by incorporating the provider’s published attestations into your own.
Steve Riley is a research director at Gartner