Cloud security is the protection of data, applications, and infrastructures involved in cloud computing. Many aspects of security for cloud environments (whether it’s a public, private, or hybrid cloud) are the same as for any on-premise IT architecture.
High-level security concerns—like unauthorized data exposure and leaks, weak access controls, susceptibility to attacks, and availability disruptions—affect traditional IT and cloud systems alike. Like any computing environment, cloud security involves maintaining adequate preventative protections so you:
- Know that the data and systems are safe.
- Can see the current state of security.
- Know immediately if anything unusual happens.
- Can trace and respond to unexpected events.
The principles of data protection are the same whether your data sits in a traditional on-prem data centre or in a cloud environment. The way you apply those principles, however, are quite different when it comes to cloud security vs. traditional security. Moving data to the cloud introduces new attack surfaces, threats, and challenges, so you need to approach security in a new way.
Organizations typically have a mix of traditional IT and cloud services, so security solutions need to protect both. The security controls in place for the data centre may not be suitable for new challenges introduced in the cloud. Big data, the new skills required of security teams, and compliance and regulatory requirements all add to the complexity and cost of cloud security solutions.
The good news is that there are security solutions available to address the challenges. Ideally, you want a solution that minimizes the load on your security team, as well as the training time required to support the solution. It also needs to address the new cloud security threats, while still protecting traditional systems. Understanding the differences between cloud security vs. traditional security is key to finding the right security solution.
Cloud Security Threats
Cloud and traditional IT environments need to protect against many of the same threats. Even though the threats may be the same, new solutions are needed to protect resources in the cloud. The cloud may introduce new threats, as well.
Containers, Microservices, and Serverless
Applications in the cloud often run serverless, as microservices, or in containers. Traditional security solutions are not equipped to handle these newer technologies. Threats can and do go undetected.
The cloud is dynamic and elastic in nature. The frequent, sudden, and hyper-scale changes seen in the cloud would cripple many traditional security solutions.
Hybrid and Multi-cloud
Another unique challenge is hybrid and multi-cloud architectures. Monitoring and analysis of traffic traversing multiple clouds from different providers are difficult with on-premises security solutions.
It makes sense that the best way to address security threats in the cloud is with a cloud-native security solution. These solutions are built in the cloud with the capabilities to handle today’s varied architectures.
While many people understand the benefits of cloud computing, they’re equally deterred by security threats. We get it. It’s hard to wrap your head around something that exists somewhere between amorphous resources sent through the internet and a physical server. It’s a dynamic environment where things are always changing—like security threats. The thing is that, for the most part, cloud security is IT security. And once you understand the specific differences, the word “cloud” doesn’t feel as insecure.
Security has a lot to do with access. Traditional environments usually control access using a perimeter security model. Cloud environments are highly connected, making it easier for traffic to bypass traditional perimeter defences. Insecure application programming interfaces (APIs), weak identity and credentials management, account hijacks, and malicious insiders may pose threats to the system and data. Preventing unauthorized access in the cloud requires shifting to a data-centric approach. Encrypt the data. Strengthen the authorization process. Require strong passwords and 2-factor authentication. Build security into every level.
Everything is now in software
“Cloud” refers to the hosted resources delivered to a user via software. Cloud computing infrastructures—along with all the data being processed—are dynamic, scalable, and portable. Cloud security controls need to respond to environmental variables and accompany workloads and data while at rest and in transit, either as inherent parts of the workloads (e.g. encryption) or dynamically through a cloud management system and APIs. This helps to protect cloud environments from system corruption and data loss.
Sophisticated threat landscape
Sophisticated threats are anything that negatively impacts modern computing which—of course—includes the cloud. Increasingly sophisticated malware and other attacks like Advanced Persistent Threats (APTs) are designed to evade network defenses by targeting vulnerabilities in the computing stack. Data breaches can result in unauthorized information disclosure and data tampering. There’s no clear solution to these threats, except that it’s your responsibility to stay on top of the cloud security practices that are evolving to keep up with emerging threats.
Cloud-native security solutions, built specifically to protect cloud resources, excel where traditional on-premises security solutions struggle. Here’s a breakdown of how cloud and traditional security solutions address major challenges:
|Challenge||Cloud Security||Traditional Security|
|Visibility||Monitoring of both on-premises and cloud resources. On-premises resources across different locations can be monitored without having additional security appliances at each site.||Monitoring of on-premises resources, but only limited monitoring of cloud resources.|
|Deployment||SaaS model eliminates the need to deploy hardware or software. Saves time on change management, facility, provisioning, etc. Runs on an established platform, so deployment issues are rare.||Security appliances must be procured, shipped to each site, installed, and configured. Given the new infrastructure and initial configuration, deployment issues are common. Gartner says that over 50% of SIEM deployments fail.|
|Time to Value||Rapid deployment, built-in and updated content, updated use cases, simplified user experience gives you to get started on security in just few hours or days.||Typical project lifecycle—procure, ship, install, configure, tune—causes slow time to value. Long cycles for updating, managing, and running the use cases, etc. Most deployments run more than 9 months and you cannot usually see value in the first year.|
|Maintenance||Handled by cloud service provider (CSP). The vendors usually update the platform every day and update features and bugs more frequently. It is typical for cloud vendors to have 12 releases a year where software/ appliances will be updates once a year.||Handled by in-house IT and security teams. This is a big point of failure. We see more customers looking for cloud solutions after they go through a maintenance cycle and stop seeing value.|
|Total Cost of Ownership and ROI||Opex based
No long term contracts
Easy to replace vendors if there is no fit
Payback is typically 6-9 months
Subscription cost covers almost 70% of the TCO
Big budgetary investments
Long planning and deployment cycles
Multiple groups from security, IT, facilities, ops, DevOps, to LOB, and apps are all involved
Licensing cost is only 9% of the TCO. HW/SW/facilities and other hidden costs are involved.
Tough to predict the pricing for the next quarter/ year
|Updates and Patches||Cloud vendors take care of updates and patches through the shared responsibility model
Low risk of vulnerabilities for unpatched systems
|Requires periodic maintenance windows and planned outages
Unpatched systems are a big threat to security
|Capacity planning and elasticity||No planning needed for capacity
Elastic scaling takes care of unplanned capacity planning
Seasonality, peaks, and burts are handled effortlessly
|HW, SW, and licensing needs to be planned for overcapacity for occasional bursts or peaks
Your TCO is designed on seasonal peaks
Extreme bursts lock you out of tools when you need the most
Regardless of what cloud deployment you’re using, you’re responsible for securing your own space within that cloud. Using a cloud maintained by someone else doesn’t mean you can—or should—sit back and relax. Insufficient due diligence is a major cause of security failures. Cloud security is everyone’s responsibility, and that includes:
Using trusted software
What’s inside your cloud matters. As with any code you download from an external source, you need to know where the packages originally came from, who built them, and if there’s malicious code inside them. Obtain software from known, trusted sources and ensure that mechanisms are in place to provide and install updates in a timely way.
Personal, financial and other sensitive data may be subject to strict compliance regulations. The laws vary depending on where (and with whom) you do business—for example, see the European Union’s General Data Protection Regulation (GDPR). Check your compliance requirements before choosing a cloud deployment.
Cloud-native environments make it easy to spin up new instances—and it’s also easy to forget about the old ones. Neglected instances can become cloud zombies—active but unmonitored. These abandoned instances can become outdated quickly, which means no new security patches. Lifecycle management and governance policies can help.
Can you easily move your workloads to another cloud? Service-level agreements (SLA) should clearly define when and how the cloud provider returns the customer’s data or applications. Even if you don’t foresee moving things soon, it’s likely a future scenario. Prevent future lock-in concerns by considering portability now.
Monitoring what’s going on in your workspaces can help you avoid—or at least inhibit the effect of—security breaches. A unified cloud management platform (like Red Hat CloudForms) can help you monitor every resource in every environment.
Choosing the right people
Hire and partner with qualified, trustworthy people who understand the complexities of cloud security. Sometimes, a public cloud’s infrastructure may be more secure than a particular organization’s private cloud, because the public cloud provider has a better informed and equipped security team.
There are many security solutions delivered from the cloud today, including SIEM, firewall, IPS, and others. It is important, however, to differentiate those that are cloud-native from those that are really just “lift-and-shift” traditional security solutions that have been moved into the cloud.
For example, running firewall software on a virtual machine in the Amazon Web Services cloud is not a cloud-native solution. It is a traditional firewall running on an infrastructure-as-a-service (IaaS) platform.
SaaS for True Cloud Security
Cloud-native security runs on a true software-as-a-service model. One of the benefits of SaaS is that the software vendor is responsible for the entire service stack, from the hardware through to the application.
By contrast, IaaS uses a shared responsibility model in which the cloud vendor is only responsible up to the virtual machine. You are responsible for everything from the operating system up to the application. That means that as transient demand changes occur, you would have to manually provision additional resources to match the demand of your cloud resources, a task that humans could never keep up with.
Visibility into containers and microservices
Traditional security solutions do not have to ability to view activity within a container and events across containers and microservices. This leaves you blind to threats. Cloud security is aware of containers and microservices, being purposefully built to see the threats against them. A cloud security analytics platform provides insight that a traditional SIEM solution would miss.
Cloud-native Capabilities for Elasticity and Scalability
Cloud computing environments are dynamic, with frequent transient events. In order to keep up with changes in scale and demand, cloud security must be just as agile, having the same elastic and scalable capabilities.
The WCS security analytics platform delivers on the promise of cloud security. WCS uses a true SaaS model. Sumo can view activity within containers and across microservices. There are apps and integrations for many specific cloud services such as Docker containers and Amazon EC2 Container Services for deeper insight into those services and applications.
Ok. Let’s talk about it. We could tell you all about the security differences between the 3 cloud deployments—public, private, and hybrid—but we know what you’re really wondering: “Are public clouds secure?” Well, it depends.
Public clouds are appropriately secure for many types of workloads, but aren’t right for everything, largely because they lack the isolation of private clouds. Public clouds support multitenancy, meaning you rent computing power (or storage space) from the cloud provider alongside other “tenants”. Each tenant signs an SLA with the cloud provider that documents who’s responsible and liable for what. It’s a lot like leasing a physical space from a landlord. The landlord (cloud provider) promises to maintain the building (cloud infrastructure), hold the keys (access), and generally stay out of the tenant’s way (privacy).
In return, the tenant promises not to do anything (e.g. run unsecured applications) that would corrupt the integrity of the building or bother other tenants. But you can’t choose your neighbors, and it’s possible to end up with a neighbor who lets in something harmful. While the cloud provider’s infrastructure security team is watching for unusual events, stealthy or aggressive threats—like malicious distributed denial-of-service (DDoS) attacks—can still negatively affect other tenants.
Fortunately, there are some industry-accepted security standards, regulations, and control frameworks like the Cloud Controls Matrix from the Cloud Security Alliance. You can also isolate yourself in a multi-tenant environment by deploying additional security measures (like encryption and DDoS mitigation techniques) that protect workloads from a compromised infrastructure. If that’s not enough, you can release cloud access security brokers to monitor activity and enforce security policies for low-risk enterprise functions. Though all this may not be sufficient for industries that operate under strict privacy, security, and compliance regulations.
Security decisions have much to do with risk tolerance and cost-benefit analysis. How could potential risks and benefits affect the overall health of your organization? What matters most? Not every workload demands the highest level of encryption and security. Think about it like this: Locking your home keeps all your belongings relatively secure, but you might still lock your valuables in a safe. It’s good to have options.
That’s why more enterprises are turning to hybrid clouds, which give you the best of all the clouds. A hybrid cloud is a combination of 2 or more interconnected cloud environments—public or private.
Hybrid clouds let you choose where to place workloads and data based on compliance, audit, policy, or security requirements—protecting particularly sensitive workloads on a private cloud, while operating less-sensitive workloads in the public cloud. There are some unique hybrid cloud security challenges (like data migration, increased complexity, and a larger attack surface), but the presence of multiple environments can be one of the strongest defenses against security risks.