Let’s break down some lingering misunderstandings about public and hybrid cloud security
When the tech hype machine kicks into high gear, seasoned IT leaders know the drill: Expect all manner of jargon-laden pitches, misunderstandings, and downright myths to follow. Consider cloud computing as Exhibits A through Z. Cloud had a heck of a run in the hype cycle, and for great reason: It’s nothing short of a significant shift in IT.
Cloud is now well past hype at this point, of course, and living comfortably in the mainstream. But that doesn’t mean it left all the myths back on shore, especially when it comes to security, especially public cloud security.
We figured it was high time to revisit some of the big, lingering misunderstandings around public cloud security – some of which certainly extend to private or hybrid cloud environments, too, not to mention IT security in general.
We asked several cloud security experts to help us rewrite the myths as realities. Here’s what they had to say.
Myth 1: Public cloud is inherently insecure
Let’s dispense with this one quickly, shall we? This is a phase of actual cloud history that has since been mythologized. Does public cloud have different considerations than a traditional datacenter? Sure thing. Does that mean public cloud is automatically less secure? No.
“When public cloud was new, there were valid concerns as the technology was unproven, but this is no longer the case,” says Laurence Pitt, global security strategy director at Juniper Networks. “Modern cloud computing started in the 1990s, meaning providers have many years of experience providing data and application access, ensuring rights management, strong governance, and systems monitoring.”
Of course, not all providers are equal – more on that in a moment. But Pitt uncloaks the great prevailing cloud boogeyman here: That public cloud is in and of itself a massive security threat.
Reality: Public cloud security is often better than your old on-premises security
In fact, for some companies, leveraging the size and scale of some cloud vendors might actually be a part of a more efficient overall security strategy, especially if they’re strapped for budget or simply, like so many IT leaders, having a difficult time finding the right cybersecurity skills for their teams.
As Red Hat technology evangelist Gordon Haff recently noted, you’re likely worrying too much about security process at that public cloud provider. “The nature of public clouds is that they approach security using specialized staff, automated processes, and discipline (which is not to say that enterprises don’t, but it’s by no means a given),” he writes. (See the full article: Public cloud security: Follow the Goldilocks principle.)
Myth 2: There’s a single thing called “public cloud”
Ask George Gerchow, CSO at Sumo Logic, for his prevailing public cloud myths, and he’ll give you one – by pointing out that the topic is too broad.
“This question needs to be broken down further to differentiate single tenant versus multi-tenant versus managed service in a public cloud,” Gerchow says.
Indeed, we tend to lump together a whole bunch of stuff – from software to infrastructure to development platforms, basically anything you can attach the ubiquitous “as-a-Service” (-aaS) acronym too – under a giant umbrella of “public cloud.”
For one company, “public cloud” might mean multiple infrastructure environments spread across multiple vendors, integrated with private cloud and/or on-premises infrastructure as part of a robust hybrid cloud portfolio. For another company, “public cloud” might simply mean they use Google Apps or Office 365.
This leads to generalizations about public cloud security that tend to be off-target.
Gerchow, for example, sees a key misunderstanding when digging into more specific categories of public cloud: “There is a huge misconception that single-tenant cloud deployments are more secure than multi-tenant,” he says.
Reality: Public cloud types, and their security considerations, can vary significantly.
Gerchow’s point is well-taken: It’s a mistake to think of public cloud security as a homogeneous issue.
It would similarly be a mistake to view all public cloud environments as one and the same from a security standpoint. You must draw distinctions between the specific type of cloud environment, the data you’re moving there, and so forth as part of any public cloud strategy. Moreover, different organizations have different needs and concerns around security, compliance, governance, SLAs, and more; you know those needs better than anyone.
Again, to think of “public cloud” as some big, leaky environment just waiting to get hacked is to miss the opportunities cloud presents. And these days, it’s a misnomer.
“Public cloud providers spend an inordinate amount of resources on making sure security is initially a core part of the architecture as well as keeping their networks and services hardened,” says Mike Kail, CTO and co-founder and CYBRIC.
In that same vein, IT leaders must understand the environments they’re using. You should be digging in to your public cloud providers with the same level of diligence as you would into your own datacenter. (And if, in the latter case, you’re not paying particularly close attention – well, that probably means your whole security profile needs an audit.)
As SAS CISO Brian Wilson told us recently, cloud security in general – and perhaps especially in public clouds – requires a deep understanding of your providers’ capabilities and how those map to your particular needs. (It may be that a multi-cloud strategy will be necessary to meet your various requirements.) In Wilson’s case, for example, any provider who can’t deliver federation with SAML is a non-starter.
Myth 3: Cloud security is too complex to maintain
Here’s a particularly persistent myth: Cloud security is too complex for most organizations to effectively grasp.
The amusing part of this myth? It suggests that securing your on-premises network or datacenter has ever been simple. You know the saying: If it were easy, everyone would be doing it? If IT security was ever easy, why do is it have a such a consistently recurring and, um, colorful history of breaches?
In fact, the perception of proximity to on-premises infrastructure – while much more than mere perception in many cases – might actually lull IT pros into an unearned sense of safety.
“Just because you can ‘see’ the servers and storage doesn’t mean that proper security controls are in place,” CYBRIC’s Kail says. “The mega-breaches have occurred because of a lack of proper security hygiene and processes, not because of location.”
Reality: Hybrid cloud security requires new models and processes
What’s true is that your old ways of doing things won’t cut it when you move workloads to a public cloud. That just gets more true if you’re securing a hybrid cloud architecture, or pursuing a multi-cloud strategy that utilizes two or more cloud services from two or more different platforms.
“Cloud security is a new paradigm that is software-defined and not dependent upon well-defined network perimeters,” Kail says. “This is not complex to implement or maintain — it requires a new way of thinking and culture.”
For Kail, that culture is DevOps. Organizations that want to put a finer point on security are increasingly embracing its younger sibling, DevSecOps, which quite literally accords security the same status as the other major pieces of the software pipeline.
Myth 4: Public cloud security is the vendor’s problem
A common selling point of public cloud, in particular, has been that it affords organizations the kinds of compute power, scalability, and flexibility that would be otherwise out of reach (for reasons of cost, skill sets, aging infrastructure, and more.)
It’s true that a tiny startup can essentially stand up an enterprise-quality infrastructure overnight. The appeal is straightforward: Someone else has already done the heavy lifting for you; you don’t need to buy a single server, much less build out an entire datacenter, unless doing so is a part of your broader IT strategy.
This doesn’t absolve you of risk, however; it’s still your data, your applications. You should be certainly be selecting public cloud vendors that invest heavily in security and related areas according to your needs. Just don’t take a checkbox approach to your evaluation and then assume your work is done.
Reality: Public cloud security still ultimately starts and stops with the CIO
“Cloud providers have the software-defined constructs and APIs in-place for customers to leverage, and cloud security needs to ultimately be the responsibility of the customer,” Kail says.
That doesn’t mean your public cloud vendors can’t help. As Kail noted, any cloud provider worth a darn is continuously investing in the security of its platforms, and they can do so at global scale.
As we’ve noted previously in this space, you can turn the outsized security fear that once commonly stood in the way of cloud adoption into an opportunity to retool lax or outdated security practices.
Gerchow offers some quick fundamentals for public cloud, in particular.
“Everything in [a] public cloud [environment] should be encrypted with daily key rotation,” he advises. “Public cloud also opens the door to the usage of single sign-on and multi-factor authentication.”
This gets back to the earlier advice from Brian Wilson, the SAS CISO: If you prioritize technologies and practices like these, make sure your potential providers can support those requirements. Don’t take “encryption” at face value, for example. How do they support key management?
If you don’t like the answer, then you’ve arrived at another cloud security reality: Find providers and platforms that actually meet your needs.
28 March 2018 | Kevin Casey | The Enterpriser’s Project