Marc Olesen is Senior VP and General Manager for Splunk.
Fear. The fear that the cloud is less secure than an on-premises computing environment is the key reason why IT and business decision-makers have refrained from moving their organizations more aggressively into the cloud.
Just like urban legends — such as alligators in the sewers — the myth that the cloud lacks adequate security has perpetuated over the years, despite industry research that shows otherwise. For example, Gartner data shows most cloud-based services are as secure as many on-premises IT infrastructures and the data they contain.
After the prominent security breaches in retail and the public sector over the last year, it’s clear that a strong security posture is a requirement, not an option, as no one wants to be the next headline. Reviews of these breaches show that they were the result of internal policy or system failures, not the result of any weakness of a cloud service. Although most of these breaches targeted on-premises infrastructure, they contribute to false assumptions about cloud security.
These false assumptions tend to be overplayed and persist, despite an increasing amount of research supporting cloud the security of cloud. A study released by CDW this year showed that nearly half of the 1,204 IT professionals surveyed (47 percent) said security remains a barrier, keeping their organizations from migrating to the cloud. This was followed by trust in cloud solutions at 31 percent.
In a global survey from audit and advisory firm KPMG, 53 percent of the respondents cited data loss and privacy risk as the most significant challenge to doing business in the cloud, followed by the risk of intellectual property theft. In a similar KPMG 2012 survey, cost efficiency was listed as the most significant challenge, indicating that security and data privacy have become greater concerns.
In other words, companies have recognized the cost efficiency of the cloud, but have yet to overcome the security fears. Security versus efficiency doesn’t have to be a choice, and with the cloud, it’s not.
Understanding The Cloud Security Landscape
Let’s take a step back for a moment and get in the shoes of a major cloud provider. Any incidents that expose security vulnerabilities within their infrastructures could be disastrous for a cloud service provider from a business standpoint. As a cloud provider, if I know that security is a major concern among my customer base, then I know I need to deploy the highest levels of security. And, that’s exactly what major cloud providers are doing.
For example, consider the steps Amazon Web Services (AWS) has taken to provide a secure environment for its public cloud services. From a physical security standpoint, AWS’s data centers use the latest electronic surveillance and multi-factor access control systems, and are staffed around the clock by trained security guards.
The company says environmental systems are designed to minimize the impact of disruptions to operations. Multiple geographic regions and availability zones enable services to remain operating in the face of most failure modes, including natural disasters or system failures.
AWS includes built-in security features such as secure access, firewalls, identity and access management tools, multi-factor authentication, private subnets, encrypted data storage, security logs and centralized encryption key management. AWS uses third-party certifications and evaluations to ensure existing and prospective customers that its environment is secure.
Security: A Shared Responsibility
In the same way you’d take precautions before entering a sewer with alligators, organizations considering or using cloud services still need to take steps to make sure they are effectively mitigating whatever risks there might be with the cloud, as well as within their own environments.
Organizations should employ best practices when selecting cloud providers and using their services, such as:
- Putting policies and processes in place to manage cloud services and setting guidelines for employees on how to use these services.
- Making sure contracts with cloud providers include service level agreements (SLAs) that address remediation in the event of a security incident such as distributed denial-of-service attacks and malware, including a description of lines of responsibility during such events.
- Larger companies may want to establish a cloud governance committee to oversee issues such as vendor relations, performance and reliability, acceptable cloud usage, security awareness training and other areas.
- Deploying security technologies to strengthen the security of their IT infrastructure, particularly when building a hybrid cloud environment that combines public clouds, private clouds and on-premises components.
- Creating an in-depth defense strategy that protects the perimeter, as well as end points to guard against intrusions and protect data.
Security is a shared responsibility with your cloud provider, and companies should consider implementing tools such as next-generation and application firewalls, intrusion detection and prevention, anti-virus software, encryption, identity and access management, visibility, log and big data analytics. This can help ensure internal security standards are as high as those set by cloud providers.
Editor's Note: This is Part 2 of a two-part series. You can find the first article, Welcome to the Hybrid World, here.
Industry Perspectives is a content channel at Data Center Knowledge highlighting thought leadership in the data center arena. See our guidelines and submission process for information on participating. View previously published Industry Perspectives in our Knowledge Library.