One of the most common misconceptions about cloud migration is that it’s a chance to start afresh, free from the challenges associated with having an onsite server. Whilst the weightless, effortless metaphor of operating from a cloud based system does hold true in terms of setup and operational simplicity, having a cloud infrastructure still demands a multifaceted security strategy and migration certainly doesn’t mean you’ll be leaving all your local server security baggage behind. This week we’ll be working to dissolve the misconception that going server free liberates you from security responsibilities, and we’ll explore some of the security issues commonly carried over from server to cloud.
Where did this idea come from?
A lot of the product marketing associated with the ‘big fish’ cloud service providers (namely Microsoft and Amazon) hinges on the idea that the products themselves provide protection and move the onus of security management and maintenance from the user to the provider. Microsoft Azure’s security tag line is ‘protect your data and assets and comply with global security standards’ whilst Amazon AWS’ security tag line is ‘protect your data with cloud-powered security’. Both pitches implicitly imply that cloud itself is inherently secure and by extension, migration to cloud will improve your network security. Whilst it is true that a lot of the day-to-day security and maintenance issues associated with local hardware become the responsibility of the cloud provider, systemic security issues will simply be transferred over and will continue to cause the same problems in a cloud environment.
Are there security benefits associated with moving to cloud?
Putting the day-to-day network security challenges in the hands of the cloud provider does have some benefits, including:
- A shift in the burden of round-the-clock monitoring and maintenance issues from the company to expert providers ensures high availability and support including 24/7 monitoring
- The opportunity for businesses to tailor security features to suit the compliance and operational requirements of their enterprise
- Eliminates the need for in-house security management specialists
- Companies have access to the latest security innovations implemented by cloud providers
However, these advantages mean nothing if they are used to facilitate a system that hasn’t been built with a rigorous security policy. Regardless of the platform you choose to facilitate your network, it’s crucial to have a well-defined and developed security policy.
Are there some additional security challenges unique to cloud?
Naturally, with benefits come challenges and there are several key security issues that need to be addressed to create a secure cloud environment including:
- Visibility into infrastructure security
- Verifying security policies
- Lack of control over data location
- Vulnerabilities associated with shared infrastructure
- User abuse at the cloud provider level
The emergence of these cloud specific security issues illustrates that there is no such thing as an inherently ‘secure’ platform. Network security is dependent upon the structures built around the cloud environment, not the environment itself.
Common kinds of security ‘baggage’ companies often assume migrating to cloud will resolve
Almost every type of network problem associated with a local server can translate into a cloud environment. Whilst cloud makes things lighter, faster and simpler, the core elements of your network infrastructure will remain the same and if there are pre-existing vulnerabilities, they may even be exacerbated by the cloud environment. Security levels, compliance, governance and liability of the cloud service provider will vary depending on the provider as well as the type of cloud services being engaged, but the key takeaway is that the cloud provider is only responsible for ensuring basic service availability and security of the platform itself, not the network. The bottom line is companies remain accountable for their network security strategy, which should include business continuity planning, regular auditing, staff education and onsite backup. A recent Scalar survey found that 90% of cloud security problems are tied to enterprise shortfalls rather than the technology itself. Many of the cloud security ‘scares’ are the result of companies assuming their network is automatically secure on the cloud platform and letting their security practices lapse as well as failing to address pre-existing vulnerabilities.
What measures can I take to ensure my cloud based network is secure?
The first step in ensuring you migrate to the cloud platform without any security baggage is to identify and understand the problems in your network. The best way to do this is with a comprehensive IT audit that flags vulnerabilities and inefficiencies. Once you have defined your security and governance requirements, it’s much easier to identify the type of security measures you need to deploy to keep your network secure.
The next phase of the process is to think carefully about data access. A 2016 Cloud Passage survey found that 53% of organisations saw unauthorised access and misuse of employee accounts as their biggest cloud security risk. Access management is a key vulnerability that becomes even more important once a company migrates to cloud, and the best way to tackle this is through user education as well as user role management.
Finally, it’s important to implement a regular review system to ensure you identify new vulnerabilities as they arise even after you’ve migrated to the cloud platform, as an untested system is an unsecured system.
In conclusion, businesses operating in a cloud environment still need a comprehensive security strategy to ensure data and application security. If the cloud concept appeals to you because, at face value, it appears to relieve organisations of the burden of security management, it may be beneficial to pair with a reputable IT provider who can help manage the security challenges of your company as well as advise you on the best platform to operate your network. Cloud has many advantages, but it’s not a cure-all for network challenges and it doesn’t suit every business model. Instead of buying into the empty promises of the big fish cloud providers who have a vested interest in selling a product, a better strategy is to pair with an IT provider who can help you gain insight into the needs of your business, and provide advice about the best way to resolve key challenges. If it does so happen that having a cloud based network is right for your business, then IT providers can take away some of the security management burden through managed services.
What our IT experts think
“Cyber crime is on the rise and cyber law will rise to meet it. How will this impact businesses? Increased accountability and an obligation to information security. When contemplating cloud security, my advice would be; know where your data is and how it is being protected. If that information is not available to you, then you are probably with the wrong service provider.”
– Adam Alcide, AWD IT Business Development Manager
“Knowing how to use the latest offerings from Amazon and Azure is important in order to create a stableenvironment and protect your data from hackers and viruses in general.
Using the right IT provider can mitigate some of those risks and assist you with creating an IT plan that aligns with your business requirements”
– Steve Simeonidis, AWD Director and Ethical Hacking Expert
“Security is a primary concern for organisations and IT pros out there who want to embrace the cloud computing era. Effective cloud security can be achieved by putting a set of security policies in action including the implementation of 2Factor Authentication, SSL Encryption for published portals (look out for Green TAB/Lock PAD) and End-To-End encryption for all traffic.
Ultimately however, investing in reliable encrypted backups (locally and remotely) is what will give you peace of mind.”
– Karnav Thakar, AWD Senior Network Technician