Every enterprise today seems to be moving toward cloud computing, but the term itself can be nebulous. And more critically, is the cloud secure? The answer, decidedly, is that it depends. To gain the advantages of the cloud without succumbing to the risks, a plan for cloud computing security should accompany any migration.
Choose Your Cloud: Public, Private or Hybrid?
Cloud computing refers to the delivery of on-demand computing resources — from applications to data centers — over the internet on a pay-for-use basis. As a result, enterprises gain:
- A scalable resource to meet changing demands;
- A pay-as-you-go metered service; and
- Self-service access to all the IT resources the organization needs.
Although all clouds promise to provide a responsive and efficient way to deliver IT services, they’re not all created equal. Public clouds are owned and operated by companies promising rapid access to affordable computing resources over a public network — think Amazon Web Services (AWS) or Microsoft Azure. Private clouds are operated to serve a single organization, whether they’re internally or externally managed and hosted. Enterprises with private clouds gain more control and avoid sharing resources with other cloud customers.
The increasingly popular hybrid cloud — such as IBM Cloud — combines public cloud computing and/or storage with a private cloud infrastructure. Though they are independent, the public and private environments communicate via an encrypted connection. The global hybrid cloud market was valued at more than $38 billion in 2018, and it is projected to reach $1 trillion by 2024, according to Mordor Intelligence. While the hybrid cloud market has experienced significant overall growth in recent years — especially compared to other cloud services — it makes sense to proceed cautiously where cloud computing security is concerned.
Is the Cloud Secure? Only If You Think About Security First
It’s easy to get swept away by the advantages that a hybrid cloud could provide in handling fluctuating workloads and mushrooming data sets. Many industries, particularly financial, retail and healthcare, are racing toward cloud adoption. But in the rush, security can sometimes struggle to keep up.
In one 2017 study, 42 percent of organizations reported an attack within their hybrid cloud environments, according to Capsule8. Although the cloud provides some protection against zero-day exploits and insider attacks, enterprise security teams must ultimately secure workloads and data in the cloud just as they do for on-premises environments. This can be tricky. Consider the fact that 44 percent of respondents to a Firemon survey reported that IT staff or application owners are responsible for securing the cloud, not their security teams.
Security organizations need a robust framework to manage advanced threats, compliance requirements and the accelerating pace of business.
Why You Should Consider Containers
Application containers have evolved alongside hybrid cloud adoption. Containers bundle apps with all their operating system dependencies, giving organizations the agility to develop and deploy software faster and to provision and start applications quickly. Containers isolate applications from one another and the host, improve security, and encourage teams to adopt the principle of least privilege — granting access only to users with a demonstrated need.
Because containers run the same in development as they do in quality assurance and production, it’s easy to move them between environments, including clouds. And they have the potential to be more secure because they’re never patched and are simply replaced by new versions. This shifts a large portion of the security controls toward the earlier end and into DevOps.
Build Security Into the Design Process
DevOps refers to software development (Dev) processes combined with IT operations (Ops). DevOps shortens software development and better aligns the process with business objectives. Before applications are ever put into production, developers need tools that automatically highlight security risk and report vulnerabilities in code. When DevOps centers on security — as DevSecOps— access management, authentication and authorization become easier in both native and migrated cloud apps. But DevSecOps also means that development, operations and security teams have to join forces.
Cloud computing security must work in conjunction with DevOps. Embedding security from the start can allow much greater operational efficiency and less lost productivity after a breach. Given that hybrid cloud architecture spans multiple systems, it can broaden an organization’s attack surface. And yet, few companies have sufficient resources to secure the full range of environments. Automation is the key to scanning for vulnerabilities, applying consistent policies for identity and access management (IAM), reviewing logs and records, and ensuring a seamless experience for users.
Recognize Your Responsibility
Too many enterprises adopting public or private cloud environments fail to understand who is responsible for security. As one major cloud service provider (CSP) stated, they are responsible for the security of the cloud, and the enterprise is responsible for security in the cloud, including all the applications and databases running there.
True cloud security takes a collaborative effort, but CSPs provide varying levels of security, and what’s covered can depend on whether you’ve signed up for a software-as-a-service (SaaS), platform-as-a-service (PaaS) or infrastructure-as-a-service (IaaS) model. Therefore, security teams must understand which security and compliance provisions their CSPs include and complement them to stay on the right side of regulations such as the General Data Protection Regulation (GDPR) and the Payment Card Industry Data Security Standard (PCI-DSS).
No matter what services your enterprise chooses, your security organization and IT team must still protect customer data, enforce access controls, monitor for malware infiltration and educate users. Your architectures, policies and tools must be consistent across every environment — from on-premises to public or private clouds to endpoints — to guard against constantly changing internal and external threats.