Is your data safe in the cloud? Security practitioners often have very strong opinions on the security of data in the cloud. In fact, many believe that hosting data in a remote data center simply cannot be more secure than hosting data locally.
I spent 14 years working for the US Army and other government agencies. As such, I fully understand the reluctance that many feel about shifting data and operations to the cloud. The simple notion of hosting any content outside of a government-controlled enclave was, for most of my tenure, heresy.
I’d like to begin by scoping this article to include only data, which falls into the categories of Infrastructure as a Service (IaaS) and Platform as a Service (PaaS). Controlling and securing data in Software as a Service (SaaS) environments, like Google Drive or Salesforce, will be discussed in another article.
The Shared Responsibility Model
In an earlier article, Jonathan Villa discussed the concept of the Shared Responsibility Model. The premise of that model is that the cloud service prover (CSP), by necessity, assumes the responsibility for some of your security burden. Depending on the service category (IaaS or PaaS), you and your CSP share a different set of responsibilities for the security of your data.
In an IaaS model (e.g. compute VMs, virtual networks), the customer is given the most flexibility in services, but also has a greater responsibility for securing the data. Inversely, with PaaS services (e.g. hosted databases, queue systems), the consumer may be somewhat restricted by the service offerings, but they also don’t (and usually can’t) control any underlying operating or security infrastructures.
But Not-So-Shared Responsibility?
The Shared Responsibility Model provides a convenient framework in which to delineate between the responsibilities of you and your CSP. However, at the end of the day, your data is your responsibility. If you suffer a data breach, the chances are that Amazon or Microsoft aren’t going out of business; but you might.
Like any other IT and security initiative, you need to look at the cloud from a risk standpoint. There will most certainly be new risk areas to consider when putting your data in the cloud. However, you must weigh those risks against your current risks; something that many fail to consider.
For example, one concern that many cloud adopters have is administrative access to the hypervisor (e.g. the management plane). In the case of AWS, access is granted to administrators when justified, logged, and audited, and the credentials are revoked when the specific work is completed. This is in sharp contrast to what happens in most traditional data centers. In a traditional data center, administrative users generally have access to all data, all the time, regardless of specific need-to-know. In this one area, access to your data is likely controlled better inside AWS than in a traditional data center. On the other hand, this presumption requires an implicit trust of the AWS personnel and key management systems. This is just a single example, however.
Compliance is another issue that AWS and Azure can help with, without much effort at your end. In many cases, moving data to the appropriate cloud services (in the right way) can satisfy a vast majority of your compliance requirements.
In the End, CSPs Are Safer Than You Think
If you’re reading this article, the chances are that you’re a security practitioner and likely very skeptical of the cloud; that’s a good thing! But, anecdotally speaking, it’s exceedingly rare to see a data center secured to comparable standards of a major CSP. While certain risks will be inherent to cloud operations (or remote hosting in general), there are other benefits and risk reduction mechanisms that must be weighed into the decision. In the end, it comes down to the larger security strategy, sound architecture and risk-based prioritization.
About GuidePoint Security
GuidePoint Security LLC provides customized, innovative and valuable information security solutions and proven cyber security expertise that enable commercial and federal organizations to successfully achieve their security and business goals. By embracing new technologies, GuidePoint Security helps clients recognize the threats, understand the solutions, and mitigate the risks present in their evolving IT environments. Headquartered in Herndon, Virginia, GuidePoint Security is a small business, and classification can be found with the System for Award Management (SAM). Learn more at: www.guidepointsecurity.com.