All modern businesses should be continually reassessing their IT options. If you’re still running legacy hardware, you might currently be thinking about a move to the cloud. If you are, you might be asking yourself “How secure is the cloud?”. If you are, here is a quick guide to what you need to know.
When people ask questions such as “how secure is the cloud?”, they tend to be talking about the public cloud. Public clouds are systems of cloud infrastructure that are made available for public use. Clients (or tenants) simply buy access to the resources they need. They have nothing to do with the management of the underlying infrastructure.
Security in the public cloud therefore initially depends on the Cloud Service Provider (CSP). If their service is insecure, then there is nothing any client can do to make it secure. The CSP’s responsibility stops where the client’s access controls begin. It is the client’s responsibility to ensure that all their users have the right permissions and are suitably monitored.
There are also private clouds. As the name suggests, private clouds are systems of cloud infrastructure that are wholly owned and managed by the organization that uses them. In this case, the answer to the question “How secure is the cloud?” is that it depends entirely on the company running it.
Before you can start assessing security in the cloud, you need to determine what criteria you will use to assess security. One criteria you can use is the US government’s, which defines security as data privacy, reliability, and accessibility.
Data should be categorized according to its sensitivity. Any data not intended for public consumption should be protected by suitable access controls.
Once data is put into the cloud, it should remain in the same state as it was when it was collected (unless it is deliberately updated). It should never be corrupted.
Data always has to be made available with a reasonable degree of promptness. What this means in practice depends on the data. For example, it is perfectly acceptable for data to be archived in slow storage. It just needs to be retrievable when needed.
If you accept this definition of security, it follows that a cloud (or its data) needs to be protected against both malicious attacks (digital and physical) and environmental risks. This means that cloud security has to involve a combination of physical and digital defenses backed by robust vetting and monitoring.
Here is a quick guide to the main areas of cloud security. If you’re using a public cloud, your CSP will manage some of these for you. It is, however, strongly advisable to double-check that they are doing so appropriately. If you are using a private cloud, these are all areas you will need to manage robustly yourself.
Despite the name, clouds are very much based on earth. They need to be in the safest locations it’s possible to find for them. This means they need to be hard to attack physically.
They also need to have a low vulnerability to environmental risks. For example, you might put a cloud data center in a desert. You would not, however, put one in an area with a history of fires, floods, or extreme winds.
Data centers typically also have robust perimeter defenses plus further physical access controls internally. These all require constant monitoring. The bulk of the monitoring work is usually done by software. It does, however, need to be overseen by staff. This means that data centers need to have some level of staff in them 24x7x365.
Cloud data centers also need to have a high level of digital security. This is because a lot of modern physical security depends on some form of network connection. For example, smart devices will check in with cloud servers and human workers will use the network for remote monitoring. The data in a cloud system will need specific protections according to its level of sensitivity.
As with physical security, there needs to be constant security monitoring. Again, most of this will be automated but the automated tools will require constant human oversight.
All staff should be carefully vetted before undertaking any work with IT infrastructure and/or data. Thereafter, they should be regularly monitored. This isn’t just to pick up on any potentially malicious behavior. It’s also to pick up on any performance issues that might lead to security risks if not addressed.
Discover the DataBank Difference today:
Hybrid infrastructure solutions with boundless edge reach and a human touch.