I was recently speaking to a group of CIOs and IT Managers about cloud. I spoke about all the good things they can do once they migrate their workload on Cloud. But one IT manager got up and said ” All that is fine, but what about security. How can I rely on your security and why should I pay you for the security. When I am migrating my workload in your cloud, then ideally you should take care of it as it’s your own. It doesn’t make sense for me to pay you to host my workload and then pay you for security too”
There were two misconceptions to this gentleman. First, if he is migrating his workload then it’s only vendor’s responsibility to secure and hence he doesn’t have to pay. That’s absolutely not the case in any cloud deployment. Unlike on-premise deployment where only you are responsible for the security, security on Cloud is a joint responsibility between customers and vendors. Vendors provide you the tools to secure your workload and customers have to make significant changes in their IT strategy and approach to secure their workload.
The second misconception was the type of security itself. He might be predominantly referring to all the network security. He might be concerned about unethical hacking, DDoS virus attacks etc. Let me tell you that security on cloud is not just limited to these few things only. It’s very important to understand the potential vulnerabilities to protect yourself from some unprecedented exigencies.
Everyone is concerned about security but not many people understand what it means. I have heard the following in all my interactions about cloud security with clients :
- I want my data to be safe.
- I don’t want my data to be shared
- I don’t want people hack my system
- I don’t want to protect my system from external threats like malware, virus, DDoS etc.
Let’s try to address cloud security in a reverse way. Let’s try to understand what type of cloud security solutions are available in the market. That will give us a good idea about what these solutions protect and hence will help us understand what are the possible vulnerabilities. Forrester in its 2015 research report identified 4 types of cloud security solutions :
- Cloud data protection : CDPs are used to primarily encrypt the sensitive data like employee details, customer details to be stored on cloud. They are either on-premise or SaaS gateways between customer’s premise and the applications like CypherCloud etc. There are 5 capabilities a cloud data protection solutions have:
- Data Loss prevention
- Malware Scanning:
- Contextual policy control
- Cloud data governance : These solutions work with cloud data storage solutions like Dropbox, Google Apps, Office 365 etc. This solution allows you to have full control on how the organization shares data, what data should be accessible or visible to whom and how exposed data has changed over the past.
- Cloud Access Security intelligence : These solutions intercepts and analyze traffic, who is accessing which application, when and how much and provides alerts on anomalies. It helps you to track any unprecedented activities which can be suspicious or abnormal. For example, a technical support person who is accessing 100 customer records a day suddenly accessed 10,000 customer records a day. Similarly a system admin who downloads 1 GB a day has been downloading 10 GB of data since last 2 days.
- Centralized cloud workload security management : These solutions work when you run your workload on an IaaS platforms like IBM BlueMix, AWS, Azure etc. IaaS vendors typically provides the capabilities like:
- Malware protection
- host based firewalls
- log inspection
- Intrusion detection and prevention
- Configuration management and file integrity monitoring
- Virtualization support
It’s quite important to understand that security is not just a tool centric element, it’s an implementation strategy which is created, reviewed and changed at regular intervals of time.