Public Cloud Security – Change the course of discussion

Off-late, there has been a lot written about public cloud security and there’s good reason for it. With cloud becoming the foundation of digital economy, data breaches have become a regular news. Whether it’s the case of Verizon where personal data of more than 14 million customers was reportedly exposed or World Wrestling Entertainment where information on more than 3 million subscriber was reportedly exposed, the news on security compromise always makes a headline. Regardless of the reason which ranges from financials gains, corporate espionage, cyber warfare or just making a statement, the modus operandi of the hackers remains the same - system vulnerabilities and malware. There are thousands of known vulnerabilities and hacking methodologies (Denial of Service, Zero Day Attacks, Browser Attacks etc.) available in public domain and hence we will not spend time on that.

The point of discussion here is Public cloud security and whether its secure enough.

To those who ask if public cloud is secure enough, I would turn around and ask why do you think it is not? We tend to fear what we do not know or understand. Public cloud is one such case. The benefits of Public cloud are extensive including agile deployment and scalability at a lower cost. Despite that, organizations are still reluctant to adopt public cloud because of the “PERCEPTION” that public clouds are not secure enough. I call it perception because there is no scientific proof to this fact. Let’s discuss some of these misconceptions.

1.    Public cloud is less secure – Common belief that data on public cloud is not secure stems from the belief that things outside our physical control and reach are less secure. However, the fact is that the public cloud providers spend much more on network security controls and technical competency while most organizations still treat security as “incremental” spend. The economies of scale of Public cloud providers, both in terms of technology and skills, can’t be matched by an individual organization.

2.    Cloud security is cloud provider’s responsibility – This is one single misconception which leads to the biggest security breaches on public cloud. Security on public cloud is a shared responsibility between the Cloud Service Provider (CSPs) and the organization consuming the cloud services. While CSPs are responsible for security up to the Hypervisor (assuming IaaS) including the physical security of the assets, it’s important for the users to assess what security measures are delivered by the CSPs and supplement it with additional comprehensive security protection. CSPs also offer an array of security services and tools directly or through the marketplace and it’s the responsibility of the user to implement the required defenses. The shared security model has a fundamental assumption -no matter who is responsible for the security of the cloud workloads, the organization is ultimately responsible for what happens to their data.

3.    Public Cloud security is same as traditional datacenter security – This is far from true. Developers in public cloud extensively use Application Programming Interface (API) as the core component of the solution to enhance the cloud experience. It is used for communicating across applications and clouds using a set of routines, protocols, and tools. Since Developers try to make the APIs as stateless as possible, it adds a new attack surface. Therefore, when developing APIs, it’s important to have design guidelines and security control. Two factor authentication followed by authorization, enforcing encryption all the way through, use of throttling and resource quotas to avoid DDoS attacks are some of the the best practices to avoid hacks.

Having discussed common misconceptions, let’s spend some time on the facts. Most of the big security breaches including Verizon and WWE mentioned in this article have been caused because of human errors. Amazon's Simple Storage Service (S3) storage buckets is notorious for being left unlocked to the public resulting in compromise of client data. Multiple security reports have revealed the dangers of cloud computing misconfigurations. Though companies like Amazon can’t be blamed for customer mistakes, they could make impactful changes by creating secure defaults configurations and even proactively scanning for exposures and checking with customers whether they are intentional.

The bottom line is that any system, whether public or private cloud, is only as secure as the amount of governance, planning,and technology that goes into it. So, what is that the organizations can do. Organizations need to regularly assess the security of their cloud environment, and that of their vendors, suppliers, and partners. They need to ensure that they don’t get hung up with their legacy experience and look at public cloud with a new perspective. The success or failure of a public or private cloud implementation is linked to the organization’s success in educating employees to adopt security best practices. You may build the most durable perimeter and update the network with the most sophisticated technology security features that money can buy, it takes one sloppy employee to ignore standard security procedures and the company’s entire cloud edifice will be left vulnerable to attack.