Cloud Security Misconceptions
Cloud hosting is growing rapidly, with many companies leveraging the cloud to deliver all or a portion of their products and services. This trend is unlikely to change any time soon as cloud hosting has commoditized digital infrastructure.
One of the concerns with cloud hosting we often hear from our clients is security – security of data stored in the cloud, access controls for the compute resources, and even physical access concerns. While these concerns are valid to a certain extent, they are all rooted in misconceptions about cloud hosting.
Stripped of all marketing glitz, buzzword bingo points, and misconceptions, cloud hosting is a passel of servers, switches, and storage devices living in a large data center. Who owns and maintains the hardware and facility is really the primary difference between cloud hosting and company owned data centers or traditional colocation services.
Let’s look at some of the common cloud security misconceptions;
Data Security and System Access - there is a fear that energy drink guzzling teenagers will steal your sensitive data if you store it in the cloud. Your sensitive data is encrypted at rest, right? If not, you’re right in thinking that cloud is not for you, Neither is technology. Polish up that resume. Encrypting data is an industry best practice that is rapidly becoming a base expectation, but does not alleviate you from notifying those potentially impacted by a breach.
The appropriate risk management approach are the policies and procedures controlling system access and thus access to data. In addition to your own policies, the major players in cloud hosting have proven policies and procedures that comply with multiple regulatory requirements and have been repeatedly audited. They are most likely better at it than you. The security certifications of major cloud hosting providers can be found here and here. How does that compare to your program? How much would it cost for your company to achieve and maintain the same level of certification? Are your security requirements drastically different from other companies already using cloud hosting? Chances are that the cloud provider capabilities and your own security program can meet your security needs.
Physical Security - concerns about physical security at cloud hosting locations are typically the result of a lack of topical knowledge. Cloud data centers have fewer people entering them each day as compared to a traditional colocation data center, where customers bring in their own hardware and work on it inside the shared data center. Cloud hosting customers do not have physical access to the cloud data centers. Those entering a cloud data center on a daily basis are either provider employees or service partners - people who have undergone mature access control procedures.
Major cloud hosting providers operate dozens of data centers. Physical security policies and safeguards have evolved over time and are thoroughly tested. Just as with system access controls, cloud providers are most likely better at physical security than you.
Economies of Scale
A key reason behind cloud providers being good at logical access control, regulatory compliance, and physical security is the scale at which the major players operate. They can afford the talent, technology, tools, and oversight.
The economies of scale that enable cloud providers to deliver the capacity and service quality the market demands are at work in the security arena as well. Combined with the broad regulatory compliance needs of their customers, these economies of scale enable cloud providers to be better than most across the board in security.
Regardless of where the infrastructure is hosted, a sound security program should include practices such as;
- Secure coding standards
- Role based access control
- Multi-factor authentication
- Logged access to systems and data
- Data encryption at rest
- Data classification procedure
- Network segmentation
- Data egress monitoring
- Security threat matrix
- Incident response plan
Combined with the security capabilities of cloud providers, a sound security program should enable nearly any company to make use of cloud hosting in a manner that benefits the business.
Interested in cloud options, but unsure how to proceed? AKF Partners has helped many clients with could strategy and SaaS transition. More about our services can be found here.