“Great news, team: We’re moving to Amazon Web Services. We’ll get all of our services there, including data, compute, governance, and security.”
When you hear that, don’t just think, “Great, we’re done.” That last item is where the danger lies: Security can’t stop where the public cloud ends, and security can’t stop inside your datacenter. Security needs to be overreaching and systemic to all platforms, both cloud and non-cloud.
And that means no matter how good the security is of your cloud provider (and it is typically quite good), you still have to manage the overall security because nothing exists solely within the cloud. At the very least, you have endpoints to consider, and very likely your datacenter.
Unfortunately, many enterprises think tactically when it comes to security: Encryption for one system, user IDs and passwords for another, data-focused security for a third. But that won’t scale. Moreover, it’s not secure.
Why is it not secure? Because you’re only as secure as your most poorly secured system. If hackers can access the Linux system that runs your inventory control applications, it’s likely that they can pivot to other systems using that Linux system as an entry point — including to your cloud systems. You configured them to trust that Linux server, so they will.
So an on-premises system can provide a back door into your cloud-based systems. We’ll see more of these hybrid attacks as cloud computing becomes more popular. Hackers know that IT-owned systems are full of weaknesses they can exploit, and they know that hacking into a cloud is much harder. They also know that when you connect those IT systems to the cloud, you’ve created a pathway for them into the cloud. And they’ll take it.
That’s why security needs to be applied equally throughout all on-premises and cloud-based systems to become effective. Having secure clouds is not enough.
As a result, security is becoming a cloud problem. And it’s not because cloud computing is introducing more security risks, but because the IT systems that the cloud systems are connected to are so poorly secured.
The moral of this story is that if you’re migrating to cloud, think carefully about all the security issues that need to be dealt with in all the systems you have and use. You need to be systematic in your approach across the heterogeneous devices, systems, data stores, and applications involved.
Otherwise, it’s like locking your front door but leaving the back door wide open.