Gartner lists cloud computing as one of the top technology investments for the next five years, and the global public cloud computing market is set to reach $258 billion in 2019. The ability to access data from anywhere is the top reason for cloud adoption, with about a third of companies’ IT budgets going to cloud services.
However, many enterprises transitioning to an only cloud or hybrid cloud environment are unnecessarily hitting roadblocks on issues of security and privacy. There is a common misconception that organizations can fit old security practices into the new cloud environments and when they fail to do so, the cloud environment is blamed. In fact, the cloud is inherently secure if you follow best practices to secure it. In this blog we separate myth from reality when it comes to cloud adoption.
Myth 1: On-Premise Security is More Robust than Cloud Security
This is one of the most persistent myths about cloud security that just won’t die.
The notion that an on-premise data center and its security is more robust than cloud security is fundamentally flawed. On the contrary, the cloud can be more secure than on-prem. However, this requires following the best practices made for the cloud, and leaving behind the checks and balances we had in the pre-cloud world.
Since the cloud is made up of software, it is much more malleable than the physical infrastructure. It can be updated, audited, and secured in a more complete way than was possible with the physical nature of the pre-cloud environment.
This malleability however, is a double-edged sword. The main problems facing cloud security are still security misconfigurations and human errors. It is these glitches and configuration errors that lead to the notion of an inherent insecurity of cloud buckets.
In a recent survey of cloud professionals, nearly 22 percent of respondents linked a data breach to compromised credentials. That is why Identity and Access Management (IAM) policy for cloud apps is one key area that must be prioritized in cloud adoption strategies.
Cloud is inherently safer by design, but only when the best practices of cloud adoption are followed to a T. When set up and maintained correctly, the cloud can be much more secure than on-prem environments.
Myth 2: Migrating to the Cloud Means you Don’t Need a Recovery or Backup Plan
The cloud is made up of physical servers. While cooling, power, fire suppression, physical security, and server maintenance are someone else’s headache, aka, the cloud service provider’s, the need for backups is still your responsibility.
Bugs, human errors, cyberattacks that corrupt or damage data etc, require the possibility to “revert back” to a previous known “sound” version. This is something that you’re responsible for, and the cloud provider won’t do it for you. Setting up backups is something that you need to handle.
Myth 3: Deploying Company Assets in the Cloud Makes you Automatically Secure and Compliant
A cloud service provider can support you in your efforts to be secure and compliant. Still, it’s up to you and your organization to do everything necessary to meet regulatory and compliance requirements. That is why it is crucial to deploy continuous monitoring of both technical and non-technical cloud compliance requirements.
The Importance of the Shared Responsibility Model
Your cloud provider is responsible for the security of the cloud, while you, as a customer, are responsible for security in the cloud.
The cloud vendor is responsible for managing the host Operating System (OS), the virtualization layer, and the physical security of its facilities. But it is up to the customer to ensure security within a given cloud environment.
Don’t forget about your share of responsibilities. You are responsible for configuring and managing the security controls for the guest OS and other apps (including timely updates and security patches), as well as, setting up the access control. Additionally, you are responsible for encrypting data in-transit and at-rest.
Myth 4: The Cloud is Difficult to Audit
One of the most pervasive myths is that data can’t be audited as effectively in the cloud as it could be on physical servers. This simply isn’t the case. As the CTO of the U.S. Department of Veterans Affairs states “with proper tooling, you can conduct much better audits in a cloud-based environment.”
To power up your audits, you need to combine training with tools. Spend time with personnel who conduct audits to see how their work is carried out. Then walk them through your company’s tool capabilities and how to utilize these to alleviate some of their pain points.
When set up and maintained properly, cloud can be more secure compared to pre-cloud environments.
It is tempting to sign off and just let your cloud service provider handle everything in the cloud. Providers bring with them powerful capabilities and also take on some parts of the security, such as updating the physical layers, and virtualization layers. But properly conceived security won’t be provided straight ‘out of the box,’ and it never will be.
Your developers and DevOps teams are ultimately the ones who build the cloud environment. If they run wild and you don’t have visibility and necessary controls in place, you won’t be secure. However, if you handle the cloud the way it should be handled – you will be secure. It’s as simple as that.
The Importance of Full-Stack Visibility
Due to the intertwined and complex nature of cloud environments, the basic foundation of securing a cloud environment is gaining full-stack visibility into all its assets. This entails a complete understanding of what is happening in the entire cloud environment across all of its layers: the cloud infrastructure level, operating systems, applications, and data.
Orca’s Cloud Visibility Platform was built for the cloud. Not only does it provide you with full-stack visibility, but it also makes audits easier when compared to pre-cloud environments.