Here’s the reality: Public cloud providers have better security mechanisms in place and are more paranoid — and attentive — to security risks throughout their entire stack. Considering the paranoia around cloud computing and security, most public cloud-based systems have better thought-out security mechanisms than those in traditional data centers.
Why Do Many Enterprises Still Distrust the Cloud?
What public clouds bring to the table are better security mechanisms and paranoia as a default, given how juicy they are as targets. The cloud providers are much better at systemic security services, such as looking out for attacks using pattern matching technology and even AI systems. This combination means they have very secure systems.
It should be no surprise that the hackers move on to easier pickings: Enterprise data centers.
The on-premise systems that IT manages are typically a mix of technologies from different eras. The aging infrastructure is often less secure – and less securable – than the modern technology used by cloud providers. This is simply because the old, on-premise technology was designed for an earlier era of less-sophisticated threats. The mixture of different technologies in the typical on-premise data center also opens up more gaps for hackers to exploit.
Because on-premise systems continue to age, their intrinsic security can be easily defeated by hackers. Moreover, the number of attacks increase weekly, and defenses need to be proactive – more proactive than most enterprise IT organizations are, and likely more proactive than they can each afford to be.
So why have you not gone big with cloud security? Perhaps it’s just a lack of knowledge about the process to secure your public cloud-based data store or application.
Here are 5 easy steps to cloud computing security.
Step 1: Understand your True Requirements.
As we implement cloud-based systems and wrap them with the right security approaches and technology, the largest issue I find is that few in the enterprise understand the true security requirements. Typically, they have notions about the legal and compliance issues around the protection of corporate and government data that are not based in reality.
Things that need to be reviewed in detail include any laws or regulations that require compliance, and thus what technology is mandated (e.g., encryption levels or location of data). Moreover, existing internal policies around the protection of data, including the existing approaches for evaluating risk, must be identified. These should be written down and approved by leadership so everything is clear and well understood.
Step 2: Consider Identity-Based Security.
The best approach to cloud computing security requires that we deal with all assets, including humans, servers, databases, data, processes, services, etc., as identities. These identities can then be managed, in terms of access to resources, and as resources themselves. The application of identity-based security to cloud computing is quickly emerging. The most successful and useful cloud security systems are able to manage fine-grained identities to control when and how they interact.
Step 3: Create a Plan.
Many consider security to be one of those things that gets added in the final hours of deployment or migration. The reality is that approaching security in general – and cloud specifically – requires that a master security plan emerge using the requirements we’ve gathered in Step 1. Keep in mind, security is systemic to cloud computing. It’s a part of every step in the plan.
This drives down to the actual solutions, including solution patterns and candidate technology that should be evaluated as a potential fit. Many in IT approach security technology with a bias toward their favorite or existing solutions. Don’t lock yourself into a technology until you’ve understood the requirements, and tested the technology.
Step 4: Select the Right Security Technology.
Goes without saying, right? However, most of those who implement security technologies never test it before the implementation. Many take the vendor or cloud provider’s word for things, which is a huge mistake.
POC testing is mandatory. You should go into deployment with no questions unanswered.
Step 5: Deploy, Test, Monitor.
Deploy the security solution with the understanding that it is not a separate entity from the core system or the data, but is bound to it. Many think they can decouple security from the core processes and data, but that is just not the case.
Make sure to test the security. Many firms provide “white hat” penetration testing, and a few good weeks of that type of testing will provide some good insurance that the solution works, or perhaps it will point out the need for some additional configuration. Finally, understand that monitoring is required over time.
Easy steps? Yes. Needs some thinking? You bet. However, by following the steps above you’ll find that your cloud-based system is invariably more secure than anything currently in your data center. It’s tough for even those who don’t like the use of public clouds to push back on that fact.
This article was written by David Linthicum. David is a cloud computing visionary and pundit. He has written 13 books, published 3,000 articles and presented at over 500 conferences on cloud computing. His views are his own.