The biggest question surrounding cloud security is whether or not the public cloud is safe enough for mission-critical applications. Many companies have the same concerns about moving their applications to the public cloud: Will our data be compromised? Will a breach cause the whole thing to come tumbling down?
The truth is that cloud computing is secure; Gartner has stated on multiple occasions that public cloud services from leading providers are secure, and IT leaders across a variety of enterprises have made the move only to find their initial fears unfounded.
Hyperscale cloud services are hyper-secure
Hyperscale cloud providers like Azure and AWS have invested millions in processes and controls to protect their clients. From biometric access controls to isolation of applications and data, they’ve fundamentally hardened the target.
When you migrate to a public cloud, you immediately receive a robust level of security; established cloud service providers are scrutinized by thousands of companies, and auditing firms have validated everything from access controls to the building’s power supply.
A shared security model means what it says
When evaluating the security of a cloud solution, it’s important to distinguish between the security measures the cloud service provider implements, and those you are responsible for.
The AWS’s of the world manage security of the public cloud—from the virtualization layer down. But, security in the cloud is your responsibility. It’s not much different than when you call the shots on security measures for apps in your on-site data center.
Ultimately, a combination of third-party tools and a thorough understanding of your service level agreement can give you the peace of mind to migrate mission-critical applications to the public cloud.
To start off on the right foot, you’ll need to take these key steps:
- Consider the data. Public clouds are not for every enterprise nor are they for every application within an enterprise. Start by moving only your least sensitive workloads and data. In this case, the default security provided by the cloud service providers will be more than adequate. Obvious candidates are websites, online product catalogs and product documentation. Application development and testing is also well suited to a public cloud environment. Data sheets on your company’s blockbuster cancer drug? Probably not.
- Add security, if necessary. If you do move mission-critical applications to the cloud, consider adding security measures over and above what the cloud provider has baked in. For example, you may want to employ your own encryption instead of—or in addition to—those administered by the provider. As a side note, much of what you find in a public cloud environment is already locked down by default when you provision. By contrast, elements of your data center environment are initially open, and you have to remember to secure them.
- Increase visibility. You may also want to add on tools to track usage patterns. Unlike in your data center, where a physical device is used to identify anomalies, cloud environments utilize software to flag abnormal usage or patterns. If you’ve built the security right, you can “cut the wire” when you see that access to a particular database has spiked by 500 percent.
Good tools to use include log management with correlation and analysis, data link presentation tools, and software that can detect abnormal application traffic and data access patterns. Many vendors have virtual products that provide the same function as their physical devices. Others offer physical tools, but have developed them to be cloud-aware and fit easily into the cloud environment.
Worry about the right things
The upside is hard to ignore. With a strategic deployment of the right apps, IT departments can provision faster, lower overall IT costs and provide greater agility to the enterprise.
The better questions to ask are: What are my business goals? What am I trying to achieve? And is cloud right to support that?
For the most part, those answers will trump any real or imagined security concerns.