Convenience is the name of the game with cloud-based software. Compared to on-premises infrastructure and software, cloud equivalents – whether delivered in the IaaS, PaaS or SaaS models – are in theory much easier to access, update and scale. It is no surprise that IT research firm Gartner has predicted worldwide public cloud spend to grow 18 percent year-over-year in 2017, to almost $247 billion.
But cloud computing creates unique security challenges, as we have noted throughout other entries on this blog. Managing risk across cloud environments requires the right tools, but also clear thinking about what is actually dangerous. There are numerous myths floating around about cloud security; let’s try to clear up a few of them.
Myth #1: Cloud infrastructure is inherently unsafe
Migrating data to the cloud means giving up some level of control. For many organizations, even contemplating this shift automatically induces anxiety and leads to assumptions that cloud simply isn’t secure.
The truth is that each organization must consider its own security needs in light of what a specific cloud deployment or service can deliver. For example, if a public cloud won’t work in one situation, then a private cloud might satisfy company requirements.
Depending on the IT infrastructure in place, switching to cloud may also be an improvement. The redundancy of cloud-based resources might help preserve data that would have been lost to a malware infection or natural disaster. Similarly, entrusting security to a SaaS provider could be safer than having limited in-house personnel juggle it as one of many IT priorities.
Myth #2: I don’t have to worry about any security responsibilities in the cloud
This is the flip-side of the first myth, i.e., thinking that the particular security benefits of the cloud provide complete peace of mind about the safety of your applications and information. It is true that with SaaS, the entire stack – from your data to the underlying operating systems – is overseen by the provider. However, customers still have key security responsibilities when working with IaaS and PaaS platforms.
“Customers still have key security responsibilities when working with IaaS and PaaS.”
Moreover, reliance on cloud services can amplify the effects of a data breach, especially in cases in which organizations do not realize how much of their information is in the cloud. A 2014 survey of 613 IT professional, conducted by the Ponemon Institute, found that in incidents affecting 100,000 or more breached records, this cloud multiplier effect could more than doubled the average cost of a breach, to $5.32 million.
This same report revealed widespread confusion about cloud security practices as well as uncertainty about what assets the respondents had migrated to the cloud:
- More than 60 percent believed that their organizations had performed insufficient due diligence when vetting cloud vendors.
- Strong majorities also reported that they lacked full faith in their cloud providers to adequately secure their data.
- While 45 {percent?} of all applications used by respondents were in the cloud, only half of them were visible to IT; this phenomenon of “shadow IT” creates many new security responsibilities and challenges that can be tough to navigate with limited time and resources.
Myth #3: My data is still safer if I just keep it out of the cloud entirely
There are some workloads and datasets that probably cannot be moved to a public cloud for reasons relating to compliance, security and/or performance. These assets are usually the exception rather than the rule, though.
Keeping so much data on-premises creates its own set of risks, as we alluded to in the first myth. One security vendor noted that brute-force attacks – which involve repeatedly trying to guess the right credentials to access a privileged account – are much more common against traditional IT networks than cloud platforms.
An explanation for this gap might lie in how security updates and patches are managed for cloud-based software and firmware. Such updates are usually applied right away, ensuring that any lingering known vulnerabilities are closed and new features are promptly implemented. With self-managed IT systems, it can be challenging to stay ahead of the curve on this critical issue. Taking advantage of cloud architectures, paired with the right partners and security expertise, can be an upgrade over letting data simply sit around on one of your disks.
Myth #4: Cloud architectures are too complex to properly and securely manage
With the rise of hybrid cloud, IT architectures have become more complex than ever – an odd development, considering that one of the value propositions of cloud computing is supposed to be its simplification of business processes. Hybrid cloud combines on-premises infrastructure with public cloud resources. There are often numerous vendors and services in the mix.
The challenge here is in finding a consistent and reliable way to manage all of these assets. New hybrid cloud users may seek either to have cloud infrastructure providers keep tabs on their applications or to find a way to monitor everything a different way. In the latter case, a solution such as a SOC-as-a-Service with hybrid AI capabilities (meaning a combination of traditional machine learning and data analytics with human intervention and guidance) is useful.
With this type of SOC in place, it becomes much easier to gather network logs and flow data from multiple sources and turn them into actionable security insights. Accordingly, security becomes as streamlined as possible in a realm – the cloud – that as we’ve seen doesn’t always lend itself to straightforward security management.
SOC-as-a-Service is your ticket to security that delivers on the promise of the cloud: cost-effective, scalable and built for the age of artificial intelligence.
