Cloud adoption has been on the rise and experts predict exponential growth in the coming years. Companies that switched to a Cloud model report benefits in terms of efficiency, deployment time, and ease of collaboration.
Cloud computing has major advantages over traditional infrastructure:
- Lower upfront cost
- Modular architecture
But there are also challenges to overcome. Security and privacy have been reported as being two of the biggest obstacles to adoption. At the same time, 27% of the companies see security as one of the benefits of moving to the Cloud. It’s a double-edged sword. The key is adopting your governance around security to make sure that you get these benefits. Because it does change when you move to the Cloud or work in a hybrid environment.
It’s probably no surprise that 3 out of 4 enterprises think of security as the number one concern when designing a Cloud migration strategy. Threats can vary, from infrastructure misconfiguration to unauthorized access or insecure APIs. And also from a lack of good governance around Cloud usage.
What is Cloud security?
Cloud computing is, by definition, a shared pool of resources. This leads to the concept of “shared responsibility model” when it comes to security. Cloud service providers and Cloud consumers have to take responsibility in various areas to reduce the risk of introducing vulnerabilities into their environment.
The key to a successful Cloud implementation is to know precisely who is responsible for what, at any given moment.
AWS, for example, says it plainly:
- The Cloud Service Provider handles “Security OF the Cloud”
- The Cloud Consumer handles “Security IN the Cloud”
Depending on the kind of service you’re using — IaaS, PaaS, or Saas, the responsibilities are different. As a Cloud user, you need to review the documentation and training supplied by your Cloud service provider.
Cloud security is a collection of measures and technologies designed to protect the data, the applications, and the infrastructure from external or internal threats.
Security and governance go hand in hand together. Security deals with identities and access to resources, while governance sets policies around using those resources.
Cloud computing has an impact on governance because it either adds a third party to the process (in the case of a public Cloud) or might change internal governance structures (in the case of a self-hosted private Cloud). The main thing to keep in mind when governing Cloud computing is that an organization should never outsource governance responsibility, even when using external providers.
Security concerns in different Cloud deployment models
There are different Cloud deployment models. The most well-known are Public, Private, or Hybrid Cloud. The security concerns depend on the deployment model that you choose.
If you only use Public Cloud, then it is advisable to use as many of the tools that are provided by your Cloud provider to ensure your security.
In any model, Identity and Access Management (IAM) is very important to consider. And the best way to do that does depend on your deployment model.
Central Identity and Access Management (IAM) and robust attribute-based access control (ABAC) or role-based access control (RBAC) policies are important concepts to be considered when moving to the Cloud.
Gartner’s definition of IAM is “the security discipline that enables the right individuals to access the right resources at the right times for the right reasons.”
Organizations are responsible for creating a detailed plan for managing identities and authorizations in the Cloud. Both ABAC and RBAC are supported by Cloud platforms. RBAC is the traditional model. It usually relies on a single attribute and it’s easier to implement.
How can you enforce security and compliance in the Cloud?
For your company to fully benefit from Cloud adoption, it’s crucial to integrate security and full compliance inside Cloud foundations and maintain the required security level throughout the continuous lifecycle.
When securing your infrastructure we recommend you to systematically consider the following actions to enforce security and compliance in the Cloud.
There is no one-size-fits-all approach to Cloud adoption. Every organization is unique and often times the answer is a mix of Cloud and On-premise.
- Get the right mindset
- Don’t replicate legacy security in the Cloud
- Adopt a zero-trust approach with Cloud-native security features
- Use Cloud-native architectures
- Use service mesh as a central control plane of policy definition and enforcement
- Use the Identity as security perimeter instead of the network
- Monitor to keep tracks of your business goals
- Automate detection & response
- Measure and test your code in the different stages of deployment to allow you a fast time to market of a secure application
To find out more about Cloud security and other forms of Cloud-based innovation, take a look through our Accelerating Digital Innovation with Cloud e-book.