14/12/16 | Security
Can you see into your cloud?
In real estate, the most important word is “location”. When it comes to cloud technologies, perhaps the most important word is “visibility”. You cannot protect what you cannot see and in the case of cloud, visibility is often (for lack of a better word) – “cloudy”.
It’s this lack of visibility that prevents businesses from using cloud-based technologies. It is much easier to “corral” and protect systems that you can see. This is why many businesses opt for in-house or on premise systems – because they’re static, they’re easier to protect.
Cloud technologies on the other hand are designed to be elastic in nature. They are also built to make redundancy easier. The elasticity is built in for each customer and all customers together. That being said, cloud providers are providing a “service” to many customers at once, which leads to a shared responsibility model.
Think of the cloud as a parking garage in which you have paid for one month to park one vehicle. You can enter the parking garage at any time and are allowed to park on any floor where the space is not restricted. You are not guaranteed a specific space but you are guaranteed a space. Because we tend to be creatures of habit, you find a space that you like and park there regularly during the month.
You do not know who else will be parking in this garage. Someone else might have rented more than one space (redundancy) and decided to park all their vehicles in one area of the parking garage. This area happens to include the space that you have become accustomed to park in. You are not notified (visibility) of this prior to your arrival so when you arrive to park your car, you have to find another space in the garage.
Now the parking garage has ample room and can open up other floors in case more are needed (elastic) and because you have purchased access, a space is guaranteed for you. You find another space on another floor.
In using the parking garage, it is expected that you will treat other vehicles with respect. This means that you will park within the lines of the space that you have found and you will not block or damage other vehicles. This is the “shared responsibility” of using the garage.
When you have elasticity and redundancy within the cloud environment, it is a lot harder to “corral” and protect just your systems. Think of having multiple datacentres that are growing and shrinking as needed. Also, these datacentres are duplicating themselves into other datacentres as needed. Cloud Service Providers (CSPs) are providing the least amount of security possible.
In conclusion, migrating to cloud technologies does not remove the responsibilities of the customer. Customers still have requirements of managing systems and data; and maintaining governance.
There are also shared responsibilities that come with using cloud technologies. Customers still have requirements of managing systems and data and maintaining governance. It is worth taking the time to understand what your responsibilities are and what the cloud provider can offer. Such responsibilities are noted in chapter 20 of Cloud Security Ecosystem. These include, but are not limited to: Protection of data assets, validation of access, confirmation of redundant systems; and useability of backups.
While these vary from business to business, it is worth taking the time to understand what your cloud provider can offer in terms of security.