10 Tips for Better Public Cloud Storage Security

Tuesday Dec 13th 2016 by Drew Robb
Share:

In some cases, public cloud storage services may be more secure than in-house data centers.

Cloud security has always been one of the big issues deterring companies from using public cloud vendors. Fears remain that the public cloud may compromise data security and open the doors to a breach. While those fears are not unfounded, the fact is that more than two-thirds of IT teams have deployed applications and storage to a public cloud, according to a new IDG survey.

Clearly, many common security doubts have been satisfactorily addressed. But concern remains. So how confident should you be about public cloud security, and what responsibilities for security remain in your hands?

1. Prepare for More Cloud, Not Less

The first thing to realize is that there will be more public cloud in your future, not less. It is going to be a losing battle to attempt to block all efforts to use public cloud computing services. Mark Bloom, director of product marketing, compliance and security at Sumo Logic, provided a parallel for the inevitability of more public cloud.

“Ten years ago, no one was virtualizing mission-critical workloads because of security and compliance concern, but we ended up there anyways,” he said. “This is exactly the same thing for cloud.”

In this world, speed and time-to-market is everything. Organizations, therefore, are looking to be more flexible, more agile and capitalize on business opportunities. The cloud looks attractive from that perspective. Few will resist.

2. Know that Public Cloud Security Is Very Good

Maybe a decade ago, public cloud security was dodgy. But not today. In fact, it is arguable as to which is most secure — the cloud or an in-house data center. Some would go as far as to say that keeping on-premise data safe is on par, if not more difficult, than keeping data safe in the public cloud.

“The reason for this is the person in charge of security on-premise is not necessarily an expert,” said Michael King, senior director of marketing operations, DDN. “If your data is inside your firewall, you feel as though it’s safer. But the fact of the matter is, when connected to the Internet, no scenario is completely safe. More often than not, the experts at public cloud companies have more resources at their disposal to keep data secure than those on-premise.”

3. Understand Division of Duties

Cloud providers go to great lengths to explain the many amazing security features they utilize to safeguard customer information. This includes encryption, firewalls, anti-malware, authentication, public keys and a whole lot more. But that doesn’t mean they take care of everything — far from it.

Anyone trusting cloud providers to take care of every possible aspect of cloud security is in for a nasty surprise. For example, data may be protected and encrypted once it is locked up safely within the provider’s infrastructure. Yet when in transit to or from the cloud, it may be wide open to danger.

There is no substitute for understanding the provider’s shared security model. In the case of Amazon Web Services, AWS is responsible for the infrastructure, said Bloom. The customer is responsible for the security of everything that runs on that infrastructure — the applications, the workloads and the data.

4. Consider Who Does What

IDC Analyst Deepak Mohan put it another way. In the shared model, Amazon handles the overall security of the cloud, and customers are responsible for the security of their applications and storage in the cloud.

That said, the AWS cloud is designed with security as its highest priority and is designed to meet the highest security needs, he added. For instance, it is accredited with commonly required security certifications such as ISO 27001 and DoD SRG.

AWS offers two levels of guidance to customers that need assistance in security for their applications. The base level is through AWS support, which offers customers tools and resources to identify gaps and meet their security needs. More advanced support is available through the AWS Professional Services group and through the AWS Partner Network for customers with more complex and specialized security needs.

“Customers need to plan for and build in security at the application level,” said Mohan.

5. Watch Out for Additional Services

A common gotcha is additional vendor services that might sit on top of Amazon or Azure storage. A large number of vendors piggyback on these storage services with additional features or tools. Many are certified, but not all.

“Make sure any additional services you use on top pursue their own security certifications and attestations to protect data at rest and in motion,” said Bloom. “This will allay fears and give people comfort in sending data through a SaaS-based service.”

6. Use Cloud Security Services

A compilation of a year’s worth of data generated and analyzed from more than one thousand Sumo Logic customers running apps and infrastructure on AWS (The State of Modern Applications in AWS), found that security was the number one priority among those heavily invested in the public cloud. Yet these customers failed to use existing services that would help them make their applications and storage more secure in the public cloud.

For example, only 50 percent were leveraging AWS CloudTrail for primary security audits.

“This service will provide visibility into all user actions on AWS,” said Bloom. “Lack of visibility into cloud operations and controls stands as the largest security issue.”

7. Turn on Logging

Bloom also advised users to turn on logging within AWS. More specifically, activate Amazon CloudWatch to log all your systems.

8. Address Compliance Concerns

Certain industries require specific compliance and certifications, such as HIPAA for healthcare-related applications and PCI DSS for financial transaction processing. Even for applications that are not governed by mandatory compliance standards, business needs and internal policies require a strong focus on security.

“Designing and certifying a compliant application stack from the infrastructure up can be a tedious process,” said Mohan. “Activities such as penetration testing and arranging independent certification reviews can take time away from the core focus of the application.”

He said Amazon's cloud infrastructure is designed and certified for a number of commonly used compliance and audit standards, making it easier and faster for end users to build, certify and run their own compliant applications on AWS. Among the list of certifications and audits supported are PCI DSS Level 1, SOC reports and ISO 9001.

9. Be Aware of Geographic Issues

Regional and national differences bring complexity into the security picture. Germany, for example, has very strict rules about customer data leaving its borders.

“Understand which region or which legislation your data is located in as well as whether you can move it at all,” said Goran Garevski, vice president engineering at Comtrade Software. “Some countries and verticals have specific information management regulations.”

10. Bring it Back

Just because you move data to the cloud doesn’t mean it has to always stay there. The IDG survey discovered that nearly 40 percent of those using public cloud storage have brought some workloads back in-house. Why? The top reasons for abandoning public cloud deployments are security (55 percent) and cost (52 percent) concerns, followed by manageability, reliability/performance, lack of flexibility/customization, support/service issues, and concerns about the level of control over resources or data.

By following the guidance our experts offer above, however, it may not be necessary to bring too many workloads back into the enterprise.

Photo courtesy of Shutterstock.

Share:
Home
Mobile Site | Full Site
Copyright 2017 © QuinStreet Inc. All Rights Reserved