Cloud security: new buzzword, same challenges
When companies move to the cloud, whether it is public or private, many enterprises assume the security is provided by the cloud provider says Brian Chappell, director of Engineering, EMEAI, BeyondTrust
It is easy to be seduced by the hype around the cloud, but while many non-IT executives may be attracted by the scalability and cost benefits, network and IT professionals are treading more cautiously. According to analyst firm IDC, 74% of IT executives and CIOs have cited security as the top challenge preventing their adoption of the cloud services model.
This is perhaps no surprise, considering that the cloud means trusting sensitive corporate data – including customer data, intellectual property and other content, such as information on new products - to a third party. The reality is that wherever data is hosted, vulnerabilities and exploits do not discriminate. The same opportunities exist for cyber thieves within cloud providers as exist for data storage on-premise.
The problem is that when some companies move to an external cloud – public, or more frequently for enterprises, virtual private clouds – they may assume that the cloud provider responsible for security. However, while cloud providers are responsible for securing the cloud management infrastructure, in practice they might not even know when a breach of a particular cloud server has occurred. In a 2011 Ponemon study, 42% of respondents of cloud service providers indicate they would not know if their customers’ cloud apps or data was compromised by a security breach or data exploit.
Of course, any reputable cloud provider is going to have security measures but enterprises do not abdicate responsibility for what in effect is just an extension of the corporate network. For instance, if someone within the enterprise has left default passwords unchanged, or installed software with vulnerabilities, or does not keep up with patch levels, then the organisation is responsible.
Organisations need to think in terms of protecting data, not just physical machines. Responsibility for those assets travels, regardless of the environment. Wherever a company’s IP goes, it needs to be protected, whether that is in the cloud, on-premise, printed-out, on a mobile device or any number of storage types.
Enterprises must extend their security practices to the cloud environment and ensure that the tools and processes they use are able to address the particular challenges of a virtual environment, so they need systems that scan both the local environment and virtual servers. Ideally, both the cloud provider and the enterprise should overlap their security measures.
For the enterprise, this means making sure that all individual machines are secured, as well as the entire system. So, if someone manages to knock a hole in the system’s protective wall, all the ‘pieces’ within the corporate network are as robustly protected. In short, we need to abandon our fortress mentality and realise that often the threat is already within the walls. And of course, the cloud provider also needs to apply the same approach to the security of its infrastructure as much as possible.
Whatever the type of cloud, the same operating systems – Windows, Linux, etc – are still used, and bring with them their associated security challenges. The only real difference is the additional concern of securing the system that is provisioning the cloud environment and that is the responsibility of the service provider. For network owners, the same security risks that were already there still apply: organisations just need to protect themselves as securely as possible, across all end points, regardless of whether they are on-premise, remote or virtual.