editor’s question
do public cloud service and
cloud infrastructure truly
present a higher level
of security exposure
compared to the
evolved corporate
data centres that
are equally exposed
to the same
cyberthreats?
SCOTT GORDON,
(CISSP), CMO
FOR PULSE
SECURE
S
ecurity has
historically been
the top concern
expressed by
prospective
cloud adopters.
Although this
fear is often unfounded in terms of
the security of core public cloud
infrastructure, protecting the servers
and apps deployed within these clouds
is only as good as the security that
customers choose to implement on top.
As the number of intrusions and larger
data breaches increase across all types
of infrastructure, the cloud is an ever-
growing target for the cybercriminal and
with the rise of multi-cloud, this issue
may become more pressing.
When adopting or expanding into the
cloud, organisations should ask two key
questions: firstly, do the cloud security
risks, perceived or real, outweigh the
advantages that cloud infrastructure
and cloud services provide? Secondly,
30
Organisations, as a
starting point, need to
establish foundational
secure access defences
that provide visibility and
data protection as they would
in the on-premise world. This
requires not only session-based
protection but the incorporation of multi-
factor authentication (MFA), single-sign-
on (SSO), split tunnelling and a pre-and
post-connect endpoint security checking
mechanism to fortify compliant access
to cloud resources.
Each organisation will have a different
risk profile, corporate culture and
workflow, meaning the answers need
to be looked at based on the individual
use case. However, broadly speaking
the underlying cloud security delivered
by cloud infrastructure providers
will often be better than that which a
smaller or mid-sized enterprise could
do for themselves. The hundreds
of millions of dollars that Amazon,
Microsoft and Google alone spend on
securing their respective clouds is hard
to replicate in-house.
The cloud is an ever-
growing target for
the cybercriminal
and with the rise
of multi-cloud, this
issue may become
more pressing.
At the technical level, cloud security has
strengthened considerably over the last
few years and the cloud infrastructure
providers excel in offering more
advanced security features that are
either built-in as standard or are turned
on for an additional fee to provide a
deeper level of protection.
An example of a more powerful cloud
security capability is micro-segmentation
that enables granular access
management as well as limits exposure
in so-called east-west traffic.
Most cloud providers now provide
integrated hardware key management
solutions with back-end integration
to their persistence services for data
encryption in motion and at rest.
This not only secures the production
copies of the data, but all versions,
analytics or back-up replicas as well.
However, the cloud providers are
still impacted by the technology rate
of change and the complexity of
different cloud technologies that create
inconsistency and gaps in security
posture. This increases the probability
for exposing (known) vulnerabilities
and human errors that by themselves,
or together, increase the likelihood of
intrusion and compromised information.
The main difference is that when these
issues arise, the providers can and
will dedicate a lot more expertise and
resource to fixing the problems quickly.
For many organisations that have
weighed up the pros and cons, cloud
services’ agility, flexibility and OpEx cost
model may outweigh potential risks,
especially when it comes to mainstream
cloud service providers (CSP) or
hosting providers offering commoditised
services such as email, collaboration
and content management.
In addition, emerging Secure Access
Orchestration solutions offer the means
for IT to holistically manage access
visibility, policy and enforcement
consistently across data centre and
multi-cloud environments. u
Issue 07
|
www.intelligentciso.com