There are many viable candidates for the single biggest cliche about cloud computing – e.g., “it’s more cost-effective than on-premises IT,” or perhaps “the cloud is scalable” – but for cyber security purposes, the winner is most likely “the cloud is not secure.” This chestnut has plenty of truth to it, however, and shouldn’t be ignored despite being repeated so often.
Cloud adoption marches on, even as security issues come into focus
Speaking to The New York Times last year for a special report on cloud computing, Rajat Bhargava of JumpCloud observed that the cloud was “by definition” less secure than storing data on-site, since at least some degree of control over the network is relinquished to a third-party. This is the essential trade-off of the cloud: control (and responsibility for myriad associated tasks such as configuring servers) for flexibility.
What do CIOs do when weighing the security risks of the cloud against its rewards? While concerns about data protection often top the results of surveys measuring cloud-related anxiety, adoption of services like Microsoft Azure as well as hosted private cloud has not declined even as potential issues have come to light.
A recent study by Gigaom, compiling responses from 500 IT decision-makers, perfectly encapsulated this ambivalent attitude toward cloud computing:
- Almost two-thirds of respondents listed security as the top inhibitor of cloud uptake.
- At the same time, 71 percent of strategic buyers reported that they used software-as-a-service solutions because these products are more economical and agile than the in-house alternatives.
For businesses, the potential of the cloud is often too enticing to pass up. For example, a Skyhigh Networks study of 13 million users across 350 organizations discovered that the average firm used 831 cloud services in 2014. These utilities could include anything from a social network to an account with Amazon Web Services, and overall their widespread usage suggests a sea-change in IT.
Understanding what security means in a cloud-dominated organization
Cyber security software must evolve to match the structure of the cloud, meaning that it has to deal with threats that aren’t necessarily confined to local machines. Traditional tools may defend data by storing blacklist files on endpoints and scanning for intrusions that match specific signatures, but this approach isn’t scalable as IT becomes less centralized and malware proliferates.
Like the cloud itself, the scope of cyber attacks has become massive. Last year saw multiple record-breaking distributed denial-of-service attacks, as well as the continued dominance of Web traffic by bots. Bots accounted for 56 percent of website visits in 2014, with 29 percent of those bots categorized as malicious nodes used for hacking, scraping data, etc.
Aside from scope, the biggest change for security teams in the cloud era is probably having to share responsibilities with cloud providers that manage the software and infrastructure upon which enterprises increasingly rely. Service-level agreements can leave much to be desired in terms of their transparency on security and recovery matters, as a Gartner report noted in August 2013. Enterprises have to keep an eye on:
- How frequently terms of service are updated and what the changes mean for the provider and the end user.
- What encryption options (e.g., local decryption and encryption of data) the service provider offers, and whether additional encryption of files before they are sent to the cloud is merited.
- Where the cloud-stored data is actually located and what physical security measures are in place at that facility.
- What passwords are in use and whether two-factor authentication is enabled.
These measures ensure that risk from routine activities, like accessing cloud accounts, is minimized. Many potential cloud security issues, however, whether sudden outages or DDoS attacks, are less predictable and play off of the cloud’s distributed design and often ill defined security responsibilities.
“In a cloud model, especially public clouds, there is a lot more flexibility,” Mark Nunnikhoven of Trend Micro told InfoQ in late 2013. “A different security approach is essential because the users and cloud provider share the security responsibilities. It is essential to step back and look at what aspects of the deployment you trust and to what level. There is a decided lack of centralized enforcement of security controls. Security can still be managed centrally by using a product like Deep Security, but its enforcement is spread through your computing assets.”
He went on to note that with the cloud, security paradigms must adapt to applications, rather than the other way around that has been the standard in data centers for decades. Some combination of centralization – being able to view dashboards, for instance – and distributed enforcement is critical for maintaining security in the cloud’s uniquely challenging environment.
What IT departments can do to make their clouds more secure
Public cloud receives many of the headlines about cloud computing and is sometimes synonymous with the term. But IT departments, with the mixed attitude toward cloud outlined in the Gigaom survey, often look to get the best of both worlds by creating a hybrid cloud, i.e., an architecture that bridges data centers and/or colocation sites with Azure, AWS or another public cloud ecosystem.
In the coming years, hybrid cloud is expected to be the dominant deployment model for cloud because of its flexibility, which allows some workloads to be run safely in a corporate facility and then shifted to public cloud if and when demand spikes. A study conducted by IDG Connect on behalf of Oracle found that 36 percent of respondents considered hybrid cloud the next step in their deployments, ahead of both public and private cloud.
Data security was again the top concern cited by respondents, with 55 percent of them seeing it as an issue. Integration with existing applications (47 percent) came in second place. Many organizations have already learned lessons from private cloud adoption and are looking to make a safe journey to public and hybrid infrastructure. Cyber security solutions can help by providing real-time insight into network activity, helping security teams keep up with increasingly complex workloads running on many different systems.