Despite what you may have heard, the cloud does not make it easier to have poor security from a technical standpoint.
Here’s the thing that many people fail to understand. The cloud is just the same technologies from an on-premises environment running somewhere else. Any risks that you had on-premises are still there in the cloud.
Sure, the share of risks is smaller since the provider takes care of some of them. In a case like Amazon’s EC2, where servers run in the cloud, your organization is just as responsible for security from the operating system on up as it would be if it were a server in your own data center.
Many fail to see this issue clearly and think that there are either unique risks or magical protections afforded by running in Amazon’s world. Of course, when something is “over there” it feels like it’s less your problem. So many things that would have perhaps worried you about a server in your data center may feel more distant when running in the cloud.
Has the Cloud Made IT Staff More Complacent?
No, the cloud hasn’t made people more complacent to risks. But it hasn’t made them more attentive either.
The most common mistake users of public cloud make is to not read their contracts and understand where their responsibilities lie. Often people are unclear as to when and how the creation of a server in the cloud moves from the care and security of the provider to them. I’ve run into folks who mistakenly thought their cloud provider was patching servers through some back door for them. They weren’t and the servers went unpatched for months.
People also forget that the layer of management given to them by the cloud provider needs some security. The administrative rights used to configure and control cloud systems needs to be treated just as carefully as any other privileged user of your systems.
Another common mistake is to think that the cloud provider will have the same services that your on-premises systems did. It’s true that Amazon, Microsoft and others do build in many services for customers. But before moving to the cloud you must conduct a full inventory of everything you are doing on-premises to identify gaps.
How Do You Secure Your Data in the Cloud?
Properly securing public cloud resources is, in the end, no different than securing systems running on-premises. The real trick to security in the public cloud is to treat it as if it’s just another data center.
Attempt to build security that’s at least as good as what you had on-premises. Or take the opportunity of the new build out to make improvements that you would have done on-premises if you only had the time.
From a security perspective, the cloud has been mature for years. Take a look at the intimidating list of security and compliance certifications that the major cloud providers have earned. No IT shop except the most elite (and well-funded) have ever come close to offering a platform as well secured. They have to. If the cloud providers have a major security incident, especially considering how much their security is being scrutinized, then they would be finished.
If you have poor security in the public cloud, it’s likely you brought it in when you walked through the door.