While deciding amongst a public, private or hybrid cloud offerings, any organization considers the involved security risks as one of the most important parameters. The prefix ‘Public’ alone can make some people think that public cloud is not as secure as a hybrid, or a private offering.
But is that really true – or is the public cloud secure enough for your organization’s data? Let’s try to analyze this question and arrive at an answer post validation of some facts. However, before we do the analysis let’s give a brief intro to the public cloud so that this assessment becomes meaningful even for someone with no technical background on cloud computing.
Introduction to public cloud
The concept of offering cloud computing as a public utility is not new. It was first mooted in the 1960s by JCR Licklider as an ‘intergalactic computer network,’ which laid the foundations of grid computing, an early forerunner of the cloud. However, it was wasn’t until the 1990s when the internet started to offer significant bandwidth that the idea actually started seeing the light of the day. One of the first milestones was the arrival of salesforce.com in 1999 which pioneered the concept of delivering enterprise applications via a simple website. In 2002, Amazon created a suite of cloud based infra services including storage and compute as a captive arm of Amazon e-commerce. Later by 2006 Amazon Web Services (AWS) was introduced as a commercial web service, with the launch of their compute service Elastic Compute (EC2) that allowed small companies to rent computers on the cloud to run their own applications. Soon enough other players entered the market as public cloud service providers prominent being IBM Cloud (2011), Google Cloud (2011), Microsoft Azure (2012), and many others.
Public cloud computing is defined as computing services offered by third party providers over the public internet making them available to anyone who wants to use them. A public cloud is built on a fully virtualized environment which supports a multi-tenant architecture enabling users to share computing resources – thus bringing economies of scale and lowering costs. A user pays only for what they use just like a public utility service such as electricity or piped gas.
This no capex opex only model was the major attraction which initially attracted a lot of customers to the public cloud. Over the years as the technology has evolved, most public cloud service providers have upped their game This no capex opex only model was the major attraction which initially attracted a lot of customers to the public cloud. Over the years as the technology has evolved, most public cloud service providers have upped their game.
Is that a valid concern, or just a bogey? This article tries to address the query.
Security concerns in the public cloud
Loss of governance
The idea of migrating applications hosted on premise to the public cloud is quite disconcerting to many users.
The concerns largely are around the under mentioned areas.
- Data loss/ leakage. Misuse or leakage of data especially with other tenants in the cloud.
- Access control. When a business operates in an exclusively on-premise IT infrastructure, governance is controlled and executed within a ring-fenced environment. In the cloud, the boundaries are suddenly gone and this instils a sense of unease. The customers are not sure of if unauthorised access is prevented, or even if the cloud providers claim so how can they be assured of it.
- Incident response. How is this going to be managed?
- DDoS protection. What is the protection from a distributed-denial-of-service attack?
- Data sovereignty. In many cases regulation demands that the data stay within a country or a region. How can a customer be assured of the same when the cloud service provider host their infra in their global data centers.
- Compliance to certifications/ audits. Many organizations may be holding security related or other global certifications e.g., ISO 27001 etc., but how can they be assured in the public cloud?
- Misuse of data. There are concerns about the customer data being used by the cloud service providers analytics, marketing, and/ or shared with any 3rd parties?
- Data ownership. Who owns the data on the cloud?
- Malicious insider. A malicious insider is an employee of the cloud service provider who abuses his or her position for information gain or for other nefarious purposes such as a disgruntled employee. How does one prevent that?
- Visibility. Do I have control over my data, where is it stored? Who can access it in the cloud provider team?
- Deletion. When I delete my data in the cloud, is it truly and completely deleted?
How cloud providers have responded to the security concerns
The Cloud Security Alliance (CSA) was formed in Dec 2008 with the aim to securing cloud computing. It is a not-for-profit organization with a ‘mission to promote use of best practices for providing security assurance for cloud computing.’ Over the years it has come up with several security guidelines and standards to assure public cloud security, prominent amongst them is the 2010 Cloud Controls Matrix (CCM) which is a baseline set of security controls to help enterprises assess the risk associated with a cloud computing provider. It provides guidance in 16 security domains including application security, identity and access management, mobile security, encryption and key management, and data center operations. In 2013, it launched the STAR (Security Trust and Assurance Registry) certification. STAR has 3 levels of certifications. It encompasses key principles of transparency, rigorous auditing and harmonization of standards. STAR level 2 certification provides multiple benefits including indications of best practices and validation of security posture in the cloud offerings. All major cloud providers conform to these standards and that has greatly helped them build assurance in the minds of the customers.
Shared responsibility model of security
Security and compliance is a shared responsibility between the cloud provider and the customer. This shared model can help relieve the customer’s operational burden as the cloud provider operates, manages and controls the components from the host operating system, and brings the virtualization layer down to the physical security of the facilities in which the service operates. The customer assumes responsibility and management of the guest operating system (including updates and security patches), other associated application software as well as the configuration of security group firewall provided by the cloud provider. Customers should carefully consider the services they choose as their responsibilities vary depending on the services used, the integration of those services into their IT environment, and applicable laws and regulations. The nature of this shared responsibility also provides the flexibility and customer control that permits the deployment. The chart above shows this differentiation of responsibility for AWS as is commonly referred to as – Security ‘of’ the Cloud versus Security ‘in’ the Cloud. It is similar with other cloud providers as well.
Ensuring cloud security
Having a defence-in-depth approach is a fundamental element in how cloud providers provide a trustworthy cloud infrastructure.
- Defence-in-depth. This means applying controls at multiple layers that involves employing protection mecha nisms, developing risk mitigation strategies, and being capable of responding to attacks when they occur. Refer figure 3 for a graphical representation of the same.
- Physical security. Cloud provider typically designs, builds, and operates datacenters in a way that strictly controls physical access to the areas where your data is stored. Typically they have extensive layers of protection – access approval at the facility’s perimeter, at the building’s perimeter, inside the building, and on the datacenter floor. These are further strengthened by biometric access controls, CCTV, and periodic physical security reviews and audits.
- Equipment disposal. Upon a system’s end-of-life, cloud provider operational personnel follow rigorous data handling and hardware disposal procedures to assure that hardware containing customer data is not made available to untrusted parties. They use a secure erase approach for hard drives that support it. For hard drives that can’t be wiped, they use a destruction process that destroys the drive and renders the recovery of information impossible. This destruction process can be done by way of disintegrating, shredding, pulverizing, or by incinerating.
- Identity and access management. Since accessing data and services in the cloud from anywhere needs to be enabled, you need to manage access based on identity authentication and authorization controls in the cloud services to protect data and resources and to decide which requests should be permitted. This can be done by having integration with the enterprise active directory (AD), role based access (RBAC), single sign-on (SSO) and multi factor authentication (MFA), in addition to logging of all events and audit trails.
- Perimeter. The separation and isolation in a multi-tenant environment is enabled via a logical perimeter (VNet in Azure, VPC in AWS). Access can be enabled/ blocked using configuration settings.
- DDoS protection. Backed by the cloud provider’s global network, DDoS protection brings massive DDoS mitigation capacity. You can scrub traffic at the perimeter network edge before it can impact the availability of your service.
- Networking. Limit communication between resources through segmentation and access controls. Deny by default, restrict inbound internet access and limit outbound where appropriate, and implement secure connectivity to on-premises.
- Compute. Ensure applications are secure and free of vulnerabilities by regular automated scans enabled by native tools of the cloud provider. Encrypt the VMs, implement endpoint protection, and keep systems patched and current. Advisor recommendations provided by native cloud tools goad and remind customers towards these actions. For better availability, use multiple VMs – for instance in Azure we use availability set or availability zones. Most cloud providers have built-in security controls integrated into the hardware and firmware components.
- Application. Application security must be built at the design stage itself. Use features like load balancers, traffic managers etc., to prevent unnecessary public exposure. Ensure applications are secure and free of vulnerabilities by regular automated scans. Move from DevOps to DevSecOps.
- Data. Data must be encrypted and the keys be stored in key vaults available in the cloud. Take a snapshot and/ or backup before disks are encrypted.
- Not only are the major cloud providers compliant to the CSA guidelines and certifications, they are also certified by many global and regional certifications. For example Azure has 90 compliance certifications, including over 50 specific to global regions and countries.
- These ensure regular audits and validation checks which ensure a high level of security posture.
- Distributed regions. Most large cloud providers have a global footprint of data centers hosted in their regions. For example, Azure has 54 regions out of which 3 are in India i.e., in Mumbai, Pune and Chennai. AWS has 22 regions and has one in Mumbai. This helps in meeting data sovereignty requirements.
- Privacy. Most of the cloud providers have taken a lot of proactive measures to ensure privacy.
- They certify that customer data is used only to provide the services agreed upon, and for the purpose compatible with providing those services.
- They do not use customer data or derive information from it for advertising.
- Will not disclose customer data hosted in cloud vendor business services to a government agency unless required by law.
- Visibility into your own customer data to effectively use and control it.
- Encryption – own key. No one else has access to the private key.
- Wide array of configurable security options with control to customize security.
- Data storage only in customer-specified geo.
- Reports hub. Available on cloud provider’s website.
From the aforesaid it is evident that the public cloud security has evolved a lot over the years. Not only have the cloud providers made significant R&D and infra investments in security, the CSA frameworks and global security certifications along with a rich set of configurable options for security being made available to the customers have significantly moved the needle of trust, transparency and security in favour of the public cloud.
It must also be remembered that there is shared responsibility of security in the public cloud and the customers need to step up and play their part effectively to ensure foolproof security.
Iqbal Singh is currently working on a senior role in a large technology MNC based at New Delhi. He has extensive experience of having worked both on the private as well as public cloud. He is an established industry speaker on the technology subjects of cloud, artificial intelligence and digital transformation. Views expressed are personal.
– Iqbal Singh
Technology Expert & Senior Corporate Executive in a European MNC