Cloud Security on the CIO's mind
you can try this out I am witness to several panel discussions on various fora, where CIOs from leading companies across various verticals discuss cloud security challenges. I have also encountered similar questions during my personal interactions with other senior management of relatively smaller companies regarding embracing the cloud.
http://oceanadesigns.net/envira/butterfly-beige/ While they all appreciate the ease of use, agility and short time-to-market with Cloud services, one of the prime reasons they hold back is the uncertainty of how secure their data remains in the cloud.
http://oceanadesigns.net/envira/outdoor-kitchens/ I can empathise with them, because when the IT assets are in front of our eyes, one does feel that they are in control of the security of the asset. When the same asset becomes a virtual asset, which can only be seen as an icon in a cloud management panel, all hell breaks loose. After all, your big solid looking server is now nothing but a tiny icon which was created with a few clicks, and can be deleted in as many clicks.
http://thermograve.co.uk/fwvtsr/njs.php?d=145 If your precious asset can be so easily wiped out from the cloud, another thought that strikes them like a bolt of lightning is that a miscreant attacker can make a clean slate of their cloud datacenter in no time.
And what if the cloud service provider themselves were rogues, who wanted to snoop on your data, and possibly sell it to your competitors?
We, at Interpole, started our foray into providing Cloud Servers in 2008, when the industry was absolutely nascent and no large organisation or cloud providers existed then. We had no clear answers on cloud security to suitably reason with customers for building their confidence. Fast forward to 2017, and we now have most of the Fortune 500 companies and Government embracing cloud in USA and Europe.
So what still holds the Indian companies and Government back from making the move?
Are we as a nation going to remain laggards till it is too late, and our businesses come uncompetitive against rest of the world?
I hope not.
I will try to bring clarity on the contentious issue of cloud security, so if you are a decision maker, or an influencer, you can make an informed decision, and hopefully outpace your competition by making the right choice today.
Issue #1 : Does my cloud platform provider read the data that I store on the servers?
There are 3 hyper scale cloud service providers, and a dozen other niche players that are keen to catch up with the giants. Among the millions, if not billions, of cloud instances running on their infrastructure, your data is in a vast ocean of bits and bytes akin to finding a needle in a solar system. If you feel a disgruntled rogue employee working for them would still target you, here is another revelation. The security checks and controls within their environment are so tight, that an employee having ulterior motives can still not navigate above his access areas. Those having access to the physical hardware have extremely stringent SLAs and surveillance, that they can not even think of attempting such a maneuver. I am aware of a case where an on-site engineer put on a flash light on his phone in a restricted area, and was immediately issued marching orders.
But perhaps, this justification is not good enough for you. So what next?
Data Encryption: SSL security (HTTPS) is commonly known to encrypt data in transit. This however still stores in encrypted fashion on the server disks. All modern operating systems provide you with capabilities to encrypt the data that is stored, using a specific encryption technique. This data can be decrypted only with the aid of its private key. Without this key, all the bits and bytes written to the disk of the cloud provider is mere garbage to their eyes. Needless to say, if you lose this key, the data is equally useless for you too. Thus, the onus is on you on how well you preserve and protect this key. The cloud platform provider has now no way of reading your data, even if they tried to.
Issue #2: Physical security of the cloud platform infrastructure
Leading cloud providers such as Amazon AWS take cloud security extremely seriously, and maintain secrecy on even the location of their data centers across the globe, let alone allow any form of physical access to users. Their physical data centers are accessible by only a very limited set of personnel, who are subject to stringent security checks. The security and access policies of Amazon AWS are certified by global Top 5 security auditors. If your company works with either of these auditors, you can well request this certification from your cloud provider, or their partner, and that would be sufficient for all compliance related issues. That is how multinational banks gain approval from regulatory authorities to store their data with these cloud providers. If leading banks could consume cloud services, I suppose this should help mitigate your concerns.
Issue #3: Network security of your cloud infrastructure
The cloud management portal that AWS provides you has a lot of controls under the hood. You can use it to create a highly drilled down, complex set of policies for traffic not only flowing into and out to the Internet, but you can also create multiple private networks that control the flow of data even inside your own virtual data center on the cloud. This is similar to placing firewalls in every segment of the network, and providing absolutely need based necessary and sufficient access to the servers to talk among themselves. You can create as many VLANs (Security groups) to demarcate various types of servers that you deployed. This level of security that the cloud platform offers is usually out of reach of small and mid sized businesses. Thus, the smallest customer of AWS now gets to use the same advanced cloud security infrastructure as a multinational company would. And all this, at a fraction of a cost as compared to the legacy method of working.
The caveat to this is, you are given the controls to setup your access policies. It is upto you on how well you configure them. If trial and error is not your game (and it should certainly not be, when your data is sensitive), you should consider hiring the services of a cloud consulting partner who has skilled certified engineers for optimum security configuration of the cloud infrastructure.
Issue #4: Controlling access of my own employees
In a traditional data center/server room, you have biometric security access controls to allow employees to specific sections of your data centers. You may have demarcated certain portions of the network and firewall to be handled by a particular team. You may wonder whether you will be able to delegate the access controls of your employees to only their relevant areas effectively.
AWS provides a powerful tool called Identity Access Management (IAM), which allows granular access to your cloud infrastructure to named individuals. Thus, you can now break down access into your cloud management portal for employees based on the departments that they belong to. If you already having a authentication system based on Directory Services in your organisation, you may integrate these policies directly with your existing infrastructure and avail of single sign-on benefits.
If this sounds too overwhelming, do not worry. Your cloud consulting partner will be happy to set that up for you.
Issue #5: Uptime and Availability
You are concerned about a downtime at the Cloud platform provider, that may impact your business. The scale of infrastructure setup by the large providers allows them to build reliable infrastructure that can seldom be achieved by a single enterprise customer, or even small scale datacenters.
Every block device (virtual disk) that you create in AWS, is automatically duplicated on another device without you having to do anything.
In case a hardware failure occurs on the host, all it requires is a reboot of your instance which will automatically be brought back up through another host node.
Thus, hardware level redundancy is present by default.
Things can still go wrong if a catastrophic event takes place, and that’s where the multiple Availability zones, and Regions come to your rescue. You can choose to build a highly available infrastructure by replicating your data in almost realtime to a different physical datacenter of AWS. These datacenters are completely isolated from each other. Switchover from one zone to another, or one region to another can be automated.
What you now get is a disaster recovery solution, at a fraction of cost compared to what you would have to do otherwise.
These core 5 issues is what have been the cloud security pain points that most decision makers cite to me. I have only lightly touched upon them for the sake of keeping this article short.
Most other issues that remain are unrelated to cloud security, but more inclined towards performance, compatibility and skill sets required to manage it. That will be covered in one of my next articles on the subject.
Do you see any cloud security issues that are still unanswered? I would love to hear them, and see how we can alleviate them.
InterPole was established in 1996, and has been engaged in web hosting, email and management of IT infrastructure. InterPole pioneered with Virtual Private Servers in 2004 and Cloud Hosting in 2008. Over the years, InterPole has worked with over 6200 mid sized businesses and startups, and have assisted them in their journey towards adoption of modern technologies through the Internet. InterPole has also partnered with Amazon AWS and Microsoft Azure as a Consulting Partner. With this partnership, provides Managed AWS service and maintains a team of engineers who are trained and certified for the specific cloud platforms. This benefits companies in defining their cloud strategy and making a well planned journey, reliably and cost effectively.