Q&A: Cloud Security 101
When considering moving to the cloud, most IT shops have concerns about security. We tackle several of the most common questions.
If you’re considering a move to the cloud, security is likely a big concern. How is it different from security measures in place for your on-premise data center? What technologies are available, and what best practices should you follow? For answers, we turned to Bill Goodman, senior systems engineer at Vormetric. The company’s Vormetric Data Security Manager solution encrypts files, databases, and applications.
Enterprise Strategies: How is security in the cloud different from on-premise security? How easy is it to synchronize the two?
Bill Goodman: The concepts are the same but the environment is different, and in terms of whether it is stronger or more secure, the answer is like so many things in life, “it depends.” To avoid any confusion, it is useful to slice the cloud into different delivery models -- Software-as-a-Service, Platform-as-a-Services, and Infrastructure-as-a-Service.
For SaaS and PaaS, the cloud service provider typically owns security, so customers need to carefully read the terms of service to understand what they are signing up for in terms of security. For IaaS, it is a shared responsibility with the bulk of the responsibility falling on the enterprise cloud consumer. When using IaaS, ideally enterprises should look for solutions that enable them to extend their on-premise security policies to data in the cloud. There are solutions available today from Vormetric and others that can maintain and enforce on-premise security controls on data when it moves into a cloud environment.
What are the biggest misconceptions IT has about cloud security?
The biggest misconception we see is that the cloud service provider completely owns security. Ultimately, the enterprise is accountable for security and needs to oversee it. Enterprises may delegate security to their SaaS or PaaS provider, but if there is a problem, the company, not the cloud provider, is accountable. In the case of IaaS, the enterprise needs to ensure their data is secure. It always best for the IT security team to own all security, be it private, public or hybrid cloud.
What cloud security technologies are available?
There are a number of different technology layers that can be used to protect cloud environments; they are similar to those used to secure on-premise data centers. These include encryption, host-based firewalls, IDS/IPS, antivirus, and identity and access management systems. One tool that is useful to understand the various cloud security categories is the Cloud Security Alliance (CSA) Cloud Controls Matrix. This is an excellent planning document that lays out the various categories of controls, mapping to compliance regimes, and technologies that apply.
Do these technologies satisfy all the security needs IT has?
They generally satisfy the needs, but like anything in technology there are three elements -- people, process and technology -- required to solve security problems. This is not a pure technology issue.
What are the biggest mistakes IT makes regarding cloud security?
Ignorance is one mistake -- assuming that someone else owns security. Lack of internal IT communication is another. IT folks want to get their jobs done quickly and effectively but can sometimes inadvertently not follow security best practices or policies. For example, an application developer might plunk down their credit card to use Amazon EC2 without communicating with IT security first because EC2 allows them to get her job done more quickly. However, this might violate the company’s IT security policy regarding placing sensitive data in the public cloud.
What best practices should IT follow to avoid those mistakes?
One best practice is using available tools like the Cloud Security Alliance Security Guidance. The CSA published version 3 of their document and it provides a great summary of issues to consider. It can be downloaded from the CSA Web site.