How secure is the Cloud?
The Cisco Global Cloud Index has forecasted that by 2019 more than 86% of workloads will be processed by cloud data centres. As adoption of Cloud based services increases many organisations are wondering ‘How secure is the Cloud?’, ‘Does it meet my needs?’, and ‘Will my data be safe?’
Over a series of articles, I’ll draw comparisons between on premise and Cloud environments from the perspective of the security controls available in each, to help inform your decisions regarding Cloud migrations or securing your Cloud environment.
There are a large number of Cloud solutions available in the market today and this article won’t go into the merits of the many and varied solutions. The term ‘Cloud’ in this article will refer mainly to services offered by the leading public Cloud providers, Amazon Web Services (AWS) and Microsoft Azure – the preferred service partners of CMD Solutions.
Regardless of whether your environment is on premise or in the Cloud, investment in security services, security products and configuration time is required to achieve a robust security posture. Cloud technology allows organisations to create strong security postures and achieve their requirements by providing built in security controls and enabling access to 3rd party security products. In the Cloud, these services can be procured using a consumption based model rather than the more traditional up front capital investment required for on premise solutions, which in itself allows organisations to implement security technology that may have previously been cost prohibitive.
Shared security model
The security model typically adopted by Cloud providers is a shared responsibility model where the Cloud provider is responsible for securing the physical Data Centre along with all of its physical assets, and the customer is responsible for securing their assets by using appropriate physical, technical and/or administrative controls. Depending on the provider, the responsibility demarcation line will vary significantly and may be as far down the technology stack as the rack level for a co-location arrangement where the customer has full responsibility for installing, maintaining and securing everything in the rack.
IaaS, PaaS and SaaS will each provide trade-offs in simplifying management and gaining efficiency versus providing the flexibility to customise the configuration to suit your needs. Depending on the client’s security requirements, the administrative restrictions enforced in PaaS and SaaS models may not allow the organisation to implement the necessary security controls needed to meet their compliance requirements. Conversely, the PaaS and SaaS offering may already provide all of the necessary controls without any additional configuration, allowing the client to take advantage of the more efficient service, without compromising their security posture.
In an IaaS architecture, the tenant has the responsibility for configuring the security controls of the network, server instances, applications and storage but doesn’t need to secure the hypervisor, physical network or physical storage devices as they are managed by the Cloud provider.
Stay tuned, in my next post I will continue the Cloud vs on-premise security comparison.