Ask your colleagues whether cloud security is the same as or different from traditional data center security; some will say it’s the same, while others will say it’s different. The correct answer, of course, is “yes.”
There are probably as many similarities as there are differences between cloud and classic data center security models. Depending on the “flavor” of cloud we are discussing (IaaS, SaaS, PaaS), some of the primary similarities include:
- Architecture – How will you segment the cloud(s) for access control?
- Asset Identification – What’s in there? What is important?
- Data Protection – We still need to decide on classification, and understand where the data is, how it’s processed, and how and when it moves through our environment.
- Automation – What gold images and templates are in place for things like approved VM images for the various server roles?
Regardless of your choice of cloud provider, understanding the architecture is as fundamental with clouds as it is with any other cybersecurity project. If you don’t know how everything is put together, you will have no way to really understand the potential problems, which will make it, well, impossible to create an effective solution. Similarly, you still need to identify and classify all of your assets, even if they are virtual, for access control and monitoring purposes. See how this could be a discussion for either cloud/not cloud?
Next, and increasingly important (because of how we typically consume cloud), is your data protection plan. Keeping track of critical data location – how it’s touched and its movements – is necessary to establish a reference model of your normal operations. Without this as a starting point, you will be unable to catch anomalies that could indicate data corruption/exfiltration attempts. Finally, two things to consider: the volume of cybersecurity data is obnoxious and increasing, so automation is vital to managing the flood of information; and automation around templatizing will be essential for scale, as well as controlling the initial secure configuration.
Clouds are only going to increase in terms of scale and complexity of activity, and without automation to assist with scaling contextual awareness, security professionals do not stand a chance.
Some of the primary differences between traditional data center and cloud may even be to your advantage as a security practitioner:
- Shifting areas of responsibility – Simple GUIs with easy-to-use interfaces may attract non-IT people to the stewardship game.
- Vanishing concept of a perimeter – We used to say, “The endpoint will be the perimeter,” but this has not really proven out. However, having the perimeter at the data center vs. including all of your workstations reduces the attack surface into our environments.
- You may no longer need to deal with patching, firmware, and configuration management – In the SaaS and PaaS models, we really don’t care what OS is being run. We are consuming storage and applications, so that is now our provider’s problem.
You will want reasonable assurances that these and other aspects of the cloud foundations are being well managed, but the tasks are no longer yours to deal with, enabling your team to focus on application and data security. Think about how you will get this assurance from your cloud service providers (CSPs).
The legacy concept of inside and outside the perimeter is rapidly disappearing with the adoption of cloud, and strong authentication might finally be attainable. It doesn’t matter if you are in the office, at home, or on the road – you still need keys to get in the door. This is a big bonus for employees and partners, increasing access to critical applications and data from wherever work takes them. However, beware of granting too much access from a single login, as phishing and credential theft are still some of the primary attack vectors.
Another difference that will make things more challenging is the lack of machine-level access for digital forensics (for SaaS and possibly PaaS). If you are used to relying on extensive logs or physical access to analyze a potential attack or compromise, this information may be unavailable or more difficult to obtain. Make sure you evaluate the incident response options available from your provider.
There have not been any known breaches so far where the cloud was root cause for the incident. Like any system, you need to evaluate the risks in your context, and manage them appropriately. Think about the risk equation (Risk = Threat x Vulnerability x Impact). Are the primary credible threats data loss, or loss of service? What is the impact to the business for each attack scenario?
The question is not just whether moving to the cloud increases your risk, but also what new or different threats are emerging, and whether or not you are vulnerable. Mindset is key to understanding your risk tolerance and treatment options.