As a system administrator during the early days of the “cloud revolution” I found the “cloud” metaphor an interesting choice to frame the technology stack. Clouds, in my mind, were “woolly” and hard to pin down as opposed to the omnipresent, always-available things that IT marketers were suggesting cloud services would be. But whilst I wasn’t a fan of the metaphor, I could easily see the benefits of cloud-hosted services as more and more businesses started to adopt both public and private cloud solutions. The debate of public versus private cloud doesn’t get nearly as much press as it once did, with the cost of public cloud aggressively nipping at the heels of private cloud hosting services and vendors rushing to add more and more features to their cloud offerings. This is especially true in the security field, with public cloud suppliers looking to try and further differentiate themselves from private cloud networks which have traditionally offered the greatest level of flexibility and thus potential for tightest security. (This presumes, of course, that you were prepared to build out that security stack yourself!) In my mind, private cloud remains a powerful way of keeping security controls internal – a key element when security is a priority. When you need to add a new security function to your private cloud, the main challenge in most cases is how quickly you can deploy the toolset. This, in turn, ensures that you can increase your security coverage quickly and easily. But there are costs to this – by keeping your infrastructure in your own private cloud, it is on you to maintain the state of your security “garden,” and you need to make sure you’re pruning the weeds and ensuring ample coverage all year round. Public cloud, on the other hand, allows you to potentially outsource your security objectives and may make security “not your problem.” Those of you used to assessing risk will probably hear some alarm bells ringing at that concept, but problems unseen are harder to manage that those you have direct control over. If your vendor’s security history is patchy or untested, this is particularly worrying. There are some additional nuances to consider relating to public cloud that may be missed in relation to security. A centrally hosted management service means that access is potentially available anywhere, which makes taking additional precautions (such as multi-factor authentication for logins) all the more important. (Although it may be distributed, most big cloud providers will provide a single URL for administrator access.) Also consider that all your management control instructions will travel across the public internet. Of course, that is almost certainly happening over SSL, but a plethora of man-in-the-middle attacks over recent years have shown that even with HTTPS, there’s a risk (particular on networks outside of your control) for people to intercept or manipulate traffic that is harder to detect. So how to pick between the two when making security recommendations? I’d suggest asking a few key questions:
- What type of data are you intending to store in the cloud? Is credit card information, user records, etc. in scope that might have specific legal requirements and may define more specific security requirements to validate your cloud service with? Consider not just your current data but also potential future expansions of your services and the risk of data “leaking” between environments if you are using a mix of private and public cloud.
- What do the service providers offer in terms of a security service, and what do their historical security responses look like? Fortunately, the internet makes getting third party insight into the security behavior of companies easier, but don’t forget to check what your potential provider's communication processes are.
- What are the compatibility and bandwidth of your security skills/toolsets to maintain the service? An unwatched alert in many cases is nearly as bad as no alert at all. Sometimes the decision to pick a managed public cloud service might be the only way to achieve sufficient coverage of your most precious assets.
With the answers to these questions in hand, you should be in a better position to start assessing the best cloud solution. Fortunately, it’s never been easier to get great services for competitive prices. The potential benefits of the rapidly growing cloud service offerings are opening up new possibilities for improving your security posture whilst also getting all the benefits of a cloud-hosted solution. Just make sure that when you’re up in the clouds, you keep those cloud boundaries well understood and secured.
