False Sense of Security?

By Nick Lumsden

What You Need to Know About Public Cloud

Millions of companies are looking to the public cloud to run a wide range of applications and store petabytes of information without the need to manage their own on-premise infrastructure. Most assume that public cloud solutions are highly compliant and secure – after all, they list an alphabet of compliance certification acronyms. However, it is critical for organizations to be aware of the difference in security of the cloud versus security in the cloud and where you fit in. This can help you avoid making some of the most common mistakes in the public cloud.

The Shared Responsibility Model: The Fine Print You Must Read 

The first common mistake made in the public cloud is not understanding your cloud provider’s responsibilities matrix. Public cloud providers are in charge of delegating responsibility for security. 

Public Cloud providers begin by examining your entire stack of applications and dividing responsibility for various controls. At the physical, foundational level, the cloud provider is on the hook for protecting data centers, the cloud network that operates on that foundation, and the hypervisor that creates and runs the host machine – that’s the security of the cloud. That’s it. For everything else, public cloud customers are responsible for security and compliance.  

So, what’s on your list of responsibilities? Everything that happens in the cloud – data, applications and services running in the cloud. As soon as you build an SC3 bucket, that’s yours. When you layer on your data or start an EC2 incidence, there’s nothing the public cloud is providing that makes you secure. You choose the operating system, the applications, the user data and the services you layer over it; you’re responsible for keeping it secure. 

Their Size Doesn’t Matter

When selecting a public cloud partner, many organizations make the mistake of bypassing research in lieu of a big-name brand. The Big 3 – AWS, Azure and Google – are known quantities, we’ll just pick one, right? Wrong. Organizations should create a needs assessment and evaluate their priorities for a public cloud partner, including seeking referrals from your trusted network of influencers, and evaluate providers based on their ability to meet the specific requirements of your industry, regulatory environment or organizational digital transformation plans.

Bigger does not mean more secure. In fact, the headlines have been full of examples of significant public cloud breaches of customers working with big public cloud providers. Acknowledged bucket breaches include but are not limited to Dow Jones having 2.2 million records exposed and the Pentagon having more than 24 terabytes of data exposed. Major brands like Verizon, Marriott/Starwood and Deloitte alone have reported data and internal email breaches impacting more than a half million exposures.

Regardless of size or name, there are some key qualities to seek in a cloud partner. Make sure they have traditional security elements of computing, storage and networking, and thus are a legitimate cloud provider. Confirm they are on 24-hours-a-day, seven days-a-week, 365-days-a-year. Verify that they use leading security technologies and have embedded in-house security policies for people, processes and technologies to rapidly detect and remediate any potential threat. Understand whether they have additional services like disaster recovery and backup to help you effectively manage your areas of responsibility. 

Compliant Does Not Equal Secure 

The third common mistake made in the public cloud is assuming that secure and compliant are synonymous. Public cloud providers are heavily audited by the best firms in the business to ensure the security of their controls is spot-on, so that should make you feel good, right? Yes, but don’t underestimate the impact of the human element on the public cloud. 

Most breaches happen as a result of human error. Let’s take PCI as an example. There are 245 controls and 12 requirements. When you move to Azure public cloud, for example, just twenty – or approximately eight percent – of those controls are Azure’s responsibility. The rest are yours. 

Remember that while this cheap storage is great, you must use the same, if not greater, diligence in this ecosystem as you did before cloud. In your former, self-owned and managed ecosystem and storage platform, you had some sort of security perimeter. If someone in your company made an access mistake, everyone in your organization got in. In the cloud when someone makes an access mistake, the whole world gets in.

Your Size Doesn’t Matter 

Another common mistake organizations make is assuming that if they are comparatively small holders of data, they will not be a target for hackers. This is a huge fallacy that becomes clear when you consider the value of an individual record on the black market. In healthcare, a medical record is worth $150 to black hat hackers in Brazil, China and Russia. A Medicare record is worth $600. Even if you hold a very small amount, say 10,000 records, that’s at least $1.5 million in value to a hacker. If you keep credit card information, that’s hugely lucrative too.

A hacker looking through your data doesn’t know who you are and frankly, doesn’t care. They look for and exploit exposed infrastructures with the greatest number of vulnerabilities regardless of who you are or what data you have. The takeaway: you can’t value security based on the size of your company; you must value it based on the value of your data.

Public cloud is a great development environment; you get inexpensive storage, maybe some free services, and you move your data there thinking it’s safe. But it’s important to never lose sight of the fact that you no longer have the perimeter fail safe. Encryption is king, and it’s your responsibility. When you transmit data the public cloud, it is not secure until you secure it. AWS provides some good things for data security, but keeping sensitive information encrypted can really help out with security. Finding ways to reduce your AWS costs, and then spending the savings on better security could be extremely helpful in the long run.

Knowledge is Power

All of this can be a little scary, but it should not deter you from using public cloud. Advances are constantly being made, great new services are coming online, and SaaS solutions are exploding with possibility. You should embrace your organization’s digital transformation as you explore the technology you will use for your own ecosystem. You just need to make sure you apply your own due diligence for selecting infrastructure, you understand your responsibilities, and you know where the pitfalls lie. 

Nick Lumsden is Chief Operating Officer at Otava, a global cloud solutions provider helping customers access all the components they need to build their secure, compliant technology ecosystem.