The migration of digital infrastructures into the cloud has become a distinct trend in the enterprise sector over the past few years, and the COVID-19 pandemic has accelerated this process. The range of public cloud customers now spans government and commercial organizations of all sizes. However, this shift has raised a host of security issues that run the gamut from the delineation of responsibilities to customers’ concerns over the intactness of their data.
Public cloud security: Expectations and reality
The efficiency of using cloud services largely depends on the level of customer maturity. A customer who has experience working with a cloud service provider is better prepared for the interaction and understands the logic of splitting the responsibilities. As a rule, such clients have a separate policy that addresses different aspects of cooperation with external cloud services and specifies metrics for this relationship. At best, the customer has a clear idea of the security mechanisms they can apply.
There is also the opposite situation, when the customer expects that they will get the full spectrum of security services at the IaaS level, only to end up with problems down the road. Even so, when moving to the cloud, the company finds itself in a more organized environment than before, which gives its security posture a boost. A less common approach is to build an information system from scratch using a cloud provider’s modern and secure tools instead of completely outsourcing it.
Some cloud providers are criticized for boiling down their business model to resources such as disks, cores, and channels rather than services the client actually needs. According to this narrative, the customer is not interested in grasping the ins and outs of the technical implementation of the cloud service as long as they get the required features quickly, seamlessly, and with a decent level of security.
This kind of situation applies to a small segment of cloud customers, mostly small or medium-sized businesses. Large organizations mainly stick to the following principle when cooperating with providers: give us the resources, and we will use them to build what we need.
When it comes to the impact of regulators upon this market, any government supervision ultimately makes the service more expensive. At the same time, some customers misinterpret rigid regulatory requirements and express excessive demands to the service provider when they move to the cloud. In this case, the cloud provider can also act as a consulting intermediary in a dialogue between the customer and the regulator.
How to use public cloud securely
InfoSec specialists must accept the fact that some of their duties and privileges will end up in the provider’s area of responsibility after migration. That being said, the organization’s security department should focus on auditing and compliance controls based on standards specified at the beginning of cooperation.
To organize a frictionless workflow in the cloud environment, a security professional needs to be a good manager and know how to make the most of the metrics and controls available to them. As the company gains experience with cloud infrastructure, it starts formulating more complex and meaningful questions for the provider. Its InfoSec team members become more interested in network security, protection of web resources, and monitoring tools the provider can offer. It is also increasingly important to them how the cloud provider monitors security events, how it responds to virus attacks, and how it informs customers about these incidents.
Let us now touch upon the recommended sequence of actions for secure infrastructure migration into the cloud. Here is a summary of the security mechanisms you should pay attention to and the actions you should perform:
- Ensure continuity: specify a fallback procedure and have a plan B for switching to another provider.
- Determine the goals you want to achieve by moving to the cloud; think of the criteria and figure out if the cloud provider of choice meets them.
- As far as security tools are concerned, follow a comprehensive approach and select the ones that fit the context of your objectives.
A concept called security inversion is an important component of cloud evolution. The basic idea is that the focus of InfoSec professionals should be on the user rather than the data center as it used to be. This situation seems reasonable because all information systems work for humans, and humans, in their turn, are the weak link in the security loop. The inversion forms a foundation of a multi-pronged approach to security that takes all aspects of the customer’s activities into account.
Nurturing trust in cloud providers
Trust is one of the building blocks of successful interoperability between a customer and a cloud service provider. Which factors are decisive in this area, and which are less significant?
First things first, the issue of distrust in the provider is an issue of distrust in its employees. The only way to reassure the customer about the security of their infrastructure is to show how public cloud security works. During the audit process, the customer can ascertain that the provider has implemented and follows all the necessary security procedures, including those that specify rules for interacting with contractors and controlling the work of system administrators.
Meanwhile, the presence of various certificates and attestations is not necessarily a factor that increases confidence in the provider. Nevertheless, certification is not only a marketing tool but also a way to organize the functioning of a cloud service, so it undoubtedly plays a role.
Zooming back into the issue of trust in the employees of a service provider, it’s worth mentioning that no company is safe from insider threats. An effective way to prevent leaks of sensitive data is to record, store, and analyze events that occur in the information system of the cloud provider.
What does the future hold?
Putting the computation power and data assets under the control of a provider whose risks are standardized and whose resources are reliable is the right approach. Therefore, companies will continue to move their infrastructures to the cloud and join forces with service providers to look for mechanisms to control and systematize this interaction.
One of the promising strategies is the involvement of insurance companies to hedge customer risks. Insurers will be interested in a comprehensive assessment of the cloud provider’s security system and can act as independent auditors and guarantors in the relationship between the two parties.
Public cloud security is a serious concern for potential customers. While service providers argue that such fears are unfounded, they must learn to prove this position when discussing such issues with clients. The dialogue is possible, a consensus is achievable, and the prospects for the further development of this market segment are impressive.