How secure is the Cloud? (part two)
Previously, I looked at the shared responsibility model that should be considered when securing Cloud services. Here I’ll cover physical infrastructure, which our preferred Cloud partners, AWS and Azure, have established.
Physical security of the Data Centres that host the Cloud services and the physical assets within them is paramount to the continuity of the Cloud providers’ business. AWS and Azure have invested heavily in their physical assets including their security and audit processes. Their physical security controls adhere with a wide range of regulatory compliance standards such as ISO27000, PÇI-DSS, APRA, ISM etc. Both AWS and Azure have data centres located in Australia which mitigates the data sovereignty risk posed by off shore hosting.
While it’s possible for an organisation to achieve this level of physical security and compliance within their own data centre facilities, it does require a significant investment which is essentially not required in a Cloud based architecture as it is built into the cost of the platform services.
Whether on premise or in the Cloud, the architecture needs to be designed to align with Information Security (IS) best practices, and the strength of the security controls should align with the risk level of the data and systems that reside on the platform. Data security controls are needed to protect the privacy and integrity of the data as it traverses organisational systems.
Securing your tenancy Within a Cloud-based architecture, various different tenants (organisations) may be sharing the same virtualised host. Although it is possible to have hosts dedicated to your organisation it is a more costly model and is only needed in very specific situations with stringent compliance requirements. The prospect of sharing physical hosts brings us to the importance of ensuring that your organisation’s tenancy is securely isolated from other organisations. Enforcing virtual segregation is entirely achievable by applying Cloud based defence-in-depth design principles and configuring security controls at multiple layers throughout the architecture.
In summary, the main ‘take-home’ points when considering your Cloud migration, are:
- AWS and Microsoft operate under shared security models
- IS controls need to be in built into both on premise or Cloud architecture which is the responsibility of the consumer of the Cloud platform
- Assess the type and strength of the security controls available in the Cloud and whether they meet your organisation’s requirements
In my next article, I’ll move up the stack from the physical layer and discuss the high level security controls that should be in place to secure a public cloud tenancy.