Bob Tarzey, Analyst and Director, Quocirca who will be a keynote stage speaker at Infosecurity Europe 2017 comments on More cloud, more security?
Do public cloud platforms add to data security woes or help mitigate them? The answer is both.
Reputable providers of public cloud platforms have security at their core. Their businesses live and die by their reputation for maintaining the security of their customers’ data. It is hard to come up with examples of data being compromised, when stored via a public cloud service, where the fault has been with the underlying platform as managed by the provider. This is true for both infrastructure- and software-as-a-service (IaaS and SaaS).
However, cloud services rely on a shared security model. How an application is deployed to a base IaaS platform depends on the customer, not the provider. This includes the standard of the software and the maintenance regime that keeps it up to date. For all cloud services, how access rights are provisioned and de-provisioned is down to the customers. The way data is stored is also a customer choice, for example, should encryption be managed by the customer or provider?
To this extent, applications deployed to the public cloud are no different to those deployed on-premise. There is however a difference in the way they are accessed, which is often over the public internet. This potentially makes them more open to probing by hackers for vulnerabilities and access points. So, the considerations for how network access is provided and the application security measures put in place differ.
Of course, more and more applications are being opened to external users. This is not a new phenomenon, as a 2014 Quocirca research report showed (Online domain maturity). Any open application, deployed on-premise or in the cloud can be probed with relative ease. However, this is when public cloud platforms can come into their own. By their very nature, they must be open and secure at the same time. With the underlying platform taken care of, the customer can focus on the integrity of the software they are deploying and controlling access rights.
There is also the issue of shadow IT, the growing tendency of line-of-business and end users to subscribe to their own cloud services. This includes consumer-focussed cloud data storage systems. Many chief information security officers (CISOs) are pragmatic about this, accepting that such usage can only be monitored and controlled, rather than blocked.
With the General Data Protection Regulation (GDPR) looming across Europe, many of these issues are top of mind. How do you audit the use of cloud services and meet compliance requirements? In fact, many cloud services may help with data security, rather than undermine it, especially for mid-market organisations, as was pointed out in a recent Quocirca buyer’s guide for Computer Weekly (Dealing with data under GDPR).
Many IT managers may be struggling to articulate the benefits of cloud services over in-house deployments to senior management, especially when it comes to data security. However, Quocirca believes a strong case can be made that public cloud services improve, rather than undermine, an organisation’s data security posture.
Bob Tarzey will be taking part in two seminars at Infosecurity Europe – How to Embrace the Internet of Things (loT) Opportunity, While Controlling the Expanding IT-Security Attack Surface on Tuesday 6th June 16:40 – 17:05 (speaker) & Securing Cloud 4.0: New Approaches to Protect Data in the Cloud on Wednesday 7th June 15:45 – 16:35 (moderator)