Why traditional security controls are not enough when hosting workloads on public cloud?
Normally, I do not like to have a word like "not" in the title but I could "not" think of a better title. Now since I started on the negative note, let me continue asking the tough questions:
If the answers to all the three questions above is "yes" then I want to compliment your organization as you have done very well and are among the small proportion of companies that focus on security. But, the bad news is that this could need a major rework when your organization decides to leverage cloud computing services. Let me explain further on the reasons around this!
Traditional security was implemented from the mindset of limiting access boundaries towards the applications. In traditional security architectures, the data center is the place where security controls are normally residing and applications live happily under the protection of the data center. The data centers are in complete control of the organization and the organization can maneuver the security controls the way it wants in terms of racks, cables, rooms and access to comply to its security policies. It is quite some management and I can bet each such organization has a fab security and network team with very smart engineers.?
More often than not, the reluctance to move to public cloud is due to the fear of giving up data centers rather than any other rational like cost benefits. The fear of not being able to pull out cables or giving trust to someone else is really hard to digest. And even the organization who are brave enough to go ahead, the estimating provided by the engineers to implement new security controls is always seen as a gigantic investment as it also must include the cost of procuring new tools, skilling and implementing.??
I probably have diluted it a little bit too much and of course some of the traditional security controls are still workable from public cloud; but the risk assessments need to be thoroughly done based on the risk appetite of the organization to evaluate which of the security controls could live as-is in public cloud. Normally this exercise is an eye-opener and more often than not the gaps are found to be really wide. Most of the traditional security controls would not stand the risk assessment as the permiterization in public cloud is not as strong as in the case of traditional data centers.??
Cloud computing has become rapidly the technology used by most services and this trend will only increase. Cloud computing is not the future anymore, it is already everywhere, while most end users don't even realize it. And hence in the cloud computing world, the focus of the security policies need to change from "controlling access" to "protecting data".
In the cloud computing world, some security requirements around data that are common are:
领英推荐
and many more.
In the cloud computing, two security controls become very important than ever before. The first being certificate management which plays a significant role for all web service security solutions. Organizations need to make sure that they can create, renew and revoking certificates from a central place in no time. The requirements for use of the PKI must be well established and understood in the organization. The other control is the Identity and Access Management (IAM) which has become in my opinion the most important security control in the cloud computing world, where a lot of solutions like OIDC, SAML and OAuth exist.
With cloud computing, security breaches can happen at multiple levels of technology and hence defense in depth and complete mediation are the most important principles to follow. For normal folk like business leaders, it’s hard to know whether or not a cloud service is secure enough. There is a trust that needs to be put on a cloud provider. But security is a shared responsibility where no cloud provider will provide full guarantee for securing the workloads. The shared responsibility is the very reason that security architecture needs to be re-constructed in the view of the risk assessments for the cloud computing model.
While cloud provides a beautiful computing model and I am quite fascinated with the benefits from it, I am also defensive when it is used with a blind eye to put your workloads without a full holistic thought given from security perspective.
I wish and hope that your organization is already passed this hurdle and relishing the beautiful benefits of the public cloud. And if not yet, than there is no better time than "now".