“How you fill in security is also of great importance in the public cloud. But you cannot approach this with the same methods that work well for on-premises.”
As the cloud has great benefits more and more organisations are working according to a cloud-first strategy. The data centres that run the cloud are well secured, but this is only part of the puzzle. Cloud suppliers are not responsible for the way in which customers use the cloud. You can secure data centres as much as you want, but if the cloud environment is not designed safely, there are still great risks. Risks that you are liable for.
How you fill in security is therefore also of great importance in the public cloud. But you cannot approach this with the same methods that work well for on-premises. They will no longer suffice in (multi)cloud environments.
On-premises vs. cloud security
Cloud security is very different from securing on-premises networks. With a traditional network you could set up a firewall around your entire organisation, whereas with a public cloud infrastructure part of your organisation is outside of that wall. Therefore security is no longer a matter of keeping everyone out; you now have to let everyone in whilst keeping unwanted guests out.
Access security is nothing new. One of the oldest methods to force your way into networks is still guessing passwords or obtaining them via social engineering. This also applies to the public cloud, but with an important difference.
For on-premises networks, security is about people. Since the entire network is protected, it is especially important who you give access to the network. You can firmly secure it with multi-factor authentication (MFA), for example; which is an extra step that hackers cannot replicate easily. But it is mostly external processes that pose a big threat in the cloud, and MFA will not help you combat them.
Another solution is required for process authorisation. The use of API keys is a commonly used method. It works really well, but API keys cannot be secured with MFA. If an API key falls into the wrong hands or is not deactivated in time, security gaps are created instantly.
Flawed use of available security tools
Cloud security can rely on powerful tools. Microsoft Azure has the Security Center, AWS supplies Security Hub and Google Cloud has the Cloud Security Command Center. These tools build an extra wall around the entire IT environment, both for on-premises as in the cloud(s). The entire environment can then be monitored from one location.
Suspicious use of API keys will therefore immediately be detected. These and other insights are extremely valuable and make a lot of older security measures redundant. We notice, however, that they are not used often. People rely on old, well-known security solutions to secure the cloud. This is understandable, but these solutions are less fitting because cloud environments are more complex than on-premises networks. In addition, it is often expensive and needlessly complex to apply these solutions in the cloud, which leads to efficiency problems and unforeseen vulnerabilities.
The biggest challenges of cloud security
Companies are often unaware of the new security challenges that a transition to the cloud (whether hybrid or even multicloud) entails. Compliance is one of these challenges. For example, it is extremely difficult to extend SOC 2 standards to the cloud, let alone to a multicloud environment. Few companies are able to do this – and Solvinity is one of the Managed Service Providers that can do it for you.
Furthermore, matters such as hardening are a lot more difficult in the cloud. Continuous hardening is part of every decent security strategy, to make sure that no unintentional security gaps are created. Hardening is already very difficult to implement in on-premises environments, but extending it to a cloud environment is even more difficult.
The biggest challenge of this cloud world is keeping up with lightning-fast developments. This is nearly impossible for non-specialists because cloud security requires very specific knowledge. Experienced cloud security specialists are hard to find, and training their own staff is often not an option for companies.
The help of an external specialist can therefore add a lot of value if you do not want to be unnecessarily vulnerable in a public cloud. This way you can rely on experienced people who are fully focused on supplying the most efficient and effective cloud security, whether you have a private, public, hybrid or multicloud environment!
By Izak-Jan van den Nieuwendijk, team lead Public Cloud at Solvinity.
Find out more about Solvinity here.