5 Cloud Security Myths Debunked
The benefits of cloud are extensive. Cloud enables rapid deployment, provisioning and scaling of IT resources, which means users can integrate acquired companies more easily and enter new markets more quickly — all while shortening development times, reducing waste and lowering costs.
But despite growing cloud adoption rates, some companies are still reluctant to aggressively move workloads and applications to the cloud. The reason is security. Security remains one of the major concerns both when moving applications to the cloud and selecting the right cloud provider.
It's time to separate fact from fiction and debunk some cloud security myths regarding Infrastructure as a Service (IaaS) — the building block for all other cloud services.
MYTH 1: Customers in the same cloud can attack each other.
A persistent myth concerning cloud is that a multitenant, cloud-based infrastructure is inherently more vulnerable than a traditional IT infrastructure. In a public cloud, customers share a pool of compute, storage and network resources. As these physical resources are shared, the first common concern is that cloud customers are more easily subjected to attack by other customers using the same service. To dispel this myth, let's examine the three basic attack vectors in a multitenant environment:
- At the hypervisor layer: This is where the primary separation between customers occurs in a cloud environment. Hypervisors are extremely difficult to attack. There is evidence of very few attacks where a virtual machine was able to elevate its privileges due to a hypervisor attack or to gather data from other virtual machines.
- At the management layer: The hypervisor must be properly patched and maintained. However, unlike normal software patching, the management interface can be isolated from the end user resources by placing it on a separate management network.
- Within multitenant networks: Another concern in multitenant environments is preventing customers of the same provider from gaining access to the same networks. This concern is typically mitigated through isolation of the VLAN.
DEBUNKED: It is not easy for an attack to be triggered by another cloud subscriber in a multitenant cloud environment. In addition, some cloud providers offer options to further mitigate multitenancy risks. Cloud subscribers should evaluate their applications and requirements and choose a cloud provider and cloud offering based on the needs of their applications.
MYTH 2: External Internet threats are more threatening in the cloud.
Some of the top external security issues identified by the 2013 Cloud Security Alliance include data breaches, account hijacking, insecure APIs and denial of service. These concerns are not new to the Internet economy. A variety of defenses can be used against these attacks, ranging from basic firewalls, vulnerability scanning and encryption to network intrusion detection and network intrusion prevention, multifactor access control and monitoring. Implementing a series of concentric defenses can provide a stronger security posture.
DEBUNKED: External Internet threats are real, but no more threatening to the cloud than to any other service delivery environment. Enterprises deploying a private cloud must provide the same level of scrutiny for both detection and prevention that they would take when deploying workloads using a hosting provider or their own internal IT infrastructure.
MYTH 3: You can't control where your data resides in the cloud.
Data residency is a key concern, and many countries have regulations that don't allow the exporting of personal data or its storage in another country. When data residency is a concern, particularly for personally identifiable information, private health information, and tax and financial information, the choice of cloud provider must in part be based on where the provider operates cloud data centers.
Customers that have to provide their users with cloud services on multiple continents must at least choose a service provider that can satisfy these needs with locations that adhere to strict policies regarding data governance in specified countries.
DEBUNKED: This myth is easily addressed by selecting a cloud provider that has a global footprint and offers data accountability. When the workloads and applications being moved to cloud require it, a private cloud is a simple way to address data governance.
MYTH 4: Certifications are standard in a cloud environment and provide assurance to subscribers.
The same certifications that clients trust in traditional IT service delivery environments can be applied to applications running in a cloud environment. Whether it is SSAE 16 for financial services, PCI-DSS for credit card processing, or HIPAA for healthcare records, certifications and compliance regulations are the foundation for building a trustworthy service.
It's important to note that compliance in cloud is really no different from compliance in a hosting environment, except that in the cloud, the infrastructure and applications are assembled on a single distributed infrastructure.
DEBUNKED: Certifications are good reference points, but by themselves they are insufficient proof that the cloud provider will satisfy all of the subscribed organization's security and compliance needs. It is ultimately the cloud consumers who are accountable for ensuring that their organizations' security and compliance requirements are met. Subscribers need to understand the security capabilities and processes of their cloud provider and not rely on certifications alone.
MYTH 5: Clouds are not inherently transparent.
Lack of transparency or visibility into the cloud environment to enable IT governance is often cited as an issue in moving workloads to the cloud. Establishing digital trust with your cloud provider requires both security and transparency. Digital trust requires transparency or visibility into a cloud environment.
Users should investigate service providers that have adopted the CloudTrust Protocol (CTP). This protocol was created to provide cloud consumers with the right information to confidently make choices about the appropriate processes and data to put into each type of cloud, and to sustain information risk management decisions about cloud services.
DEBUNKED: Transparency in the cloud is feasible. Not all cloud providers place an emphasis on this, or spend the dollars to provide the visibility that enterprise cloud users should demand. Compare and contrast the transparency and security reporting features and capabilities of cloud providers. Determine whether the transparency is offered as a provider's standard operating procedure or is an expensive add-on service.
While we've addressed some commonly held myths about cloud security, ultimately the customer needs to examine the security and compliance requirements for each of the applications to be migrated to the cloud. Consumers need to match their application requirements to the right cloud deployment based on the level of resource segregation required and on the cloud provider that delivers the security and data protection that's required.
ROBERT A. KONDILAS is offering manager, Cloud Security and Compliance, at CSC.