The compelling business model offered by cloud-based Infrastructure Services (IaaS) has led to a rapid growth in their adoption by organizations of all kinds. Nevertheless, organizations that choose to implement IaaS strategies, be it a public or a hybrid cloud strategy, should be aware of the security challenges that must be addressed in order to protect their cloud-based operations and their business. Infrastructure cloud computing presents a plethora of challenges that are derived from the fact that the company’s cloud resources are located in shared public data centers and are accessed remotely over unsecured networks. It is further complicated as most cloud providers (e.g. AWS, Google, Rackspace, etc.) work on a “shared responsibility” model. What does “shared responsibility” mean exactly?
The shared responsibility model states that it is the responsibility of both the cloud provider and the business customer, with a clearly defined demarcation, to ensure that your cloud deployment is properly secured. Specifically, it is the responsibility of the cloud business customers to secure all operating systems and applications that they use over the cloud provider’s infrastructure. While some cloud infrastructure providers (i.e.: Amazon, Google, and Rackspace) have tightened up security where they could, it has also opened new opportunities for hackers. Take for example, the 2011 Sony PlayStation attack in which 77 million accounts were compromised. The hackers were using cloud instances to launch the attack. The fact is, if a business has not established proper security infrastructure safeguards, their cloud deployment is susceptible to any number of threats. Furthermore, there seems to be a broad misconception that must be dispelled; security provisions offered by cloud providers are rarely enough to protect your organization!
Organizations using the cloud may try to address security challenges by themselves or by using a 3rd party ISV security service. There are quite a few solutions available on the market, but not every company has the same security needs. We’ve identified four stages of cloud security needs that range from simple to very complex. In this post, we will define the primary challenges that companies face for each stage of cloud complexity.
Stage 1 – Security Best Practice in the Cloud
Companies fitting into the first stage of complexity are those using IaaS on a relatively low scale and in a simple, single data center configuration. Businesses looking to reduce computing costs and improve efficiency will adopt a cloud infrastructure strategy that gives them access to the kind of computing infrastructure that was previously only available to large companies. These companies, however, are often frequently lacking in-house IT security expertise and therefore cannot readily address the required security requirements by themselves. For these types of companies, a solution that packages security best practices (e.g. firewall, secure remote access, identity-based access policies, etc.) and delivers it as a service would be the best fit.
Stage 2 – Scale & Automate Security
The next type of company on the complexity scale is a bit more experienced in the cloud and even boasts in-house security capabilities. For these companies, adopting an external security solution is not due to a lack of in-house knowledge or skill but rather because a manual configuration is not enough to scale security at the same pace as the business’ cloud computing power scales. In this case, automating security supports the in-house team in dealing with dynamic and massive cloud usage.
When the number of virtual servers that a company uses fluctuates, the company must be able to respond. Take for example, an e-commerce platform deployed in the cloud. Throughout the year the platform’s computation needs might be constant, however, during holidays and seasonal peaks, traffic can quickly escalate to 10 times or more than average. When this spike in demand occurs, the company needs to be able to add servers — without having to worry about downtime or hackers taking advantage of the jump to get into the network. Manual configurations risk human error or, worse case scenario, simply fall short in resources at peak times – meaning lost sales and revenues. Automated security scaling can protect a company’s network regardless of the number of virtual servers being used at any given time.
An additional concern in this stage of complexity deals with remote secure access. If a company’s employees are working remotely and need access to the cloud servers, provisions must be in place to ensure that identity is verified, the connection is secure and data-in-motion is not at risk.
In our second part of the post we will be covering:
- Stage 3 – Multi-Region, Multi-Cloud Deployments
- Stage 4- Compliance with Security Regulations (i.e., PCI, HIPAA)
In addition, we will be addressing the best practices to deal with security challenges in the cloud.
Subscribe to our newsletter to get the latest on cloud security news and updates
* A light version of this blog post was initially posted on SC Magazine