Cloud Security is an oxymoron. Or, is it?
"We, for sure aren't moving to cloud yet. We are very security conscious given our nature of business" - This is what a senior IT professional from a healthcare company told me during a conference a few months ago. Probing questions from me around workload specifics, nature of risks, type of cloud etc. met with little or no responses.
This gentleman is not alone in his belief that somehow they are more secure than the Amazons or Microsofts of the world just because they own and control their applications and infrastructure. Also, in addition to this, there are apprehensions around job-less associated with movement to cloud and resistance to change which manifests in the form of exaggerated security concerns.
I am not even for a minute, suggesting that there are no security concerns with respect to cloud. Yes, there are security concerns, without an iota of doubt. However, my point is, in fact, two of them are a) The security concerns should have an organizational context; which means that a comprehensive risk assessment needs to be carried out b) In majority of the cases, the concerns can be addressed.
If one digs deeper into this subject, we can clearly differentiate between public cloud security and private cloud security. The latter is less of a concern as the enterprise owns the applications/infrastructure in most of the cases and definitely has control over them in all the cases. In fact, what we have seen from our experiences when it comes to private clouds is that, given the amount of automation/orchestration that is inherent to a private cloud setup, security enforcement becomes much easier. As an example, we helped an insurance company based out of US, achieve 100% PCI compliance for their private cloud by automating/orchestrating infrastructure provisioning as per the defined standards/controls.
Security in public clouds needs a bit more work even though the cloud providers are constantly working on it. To start with, one needs to ensure data security both at rest and in transit. Various encryption techniques are available today to handle this aspect including appropriate key management techniques. Not only data, services too need to be protected from unauthorized access. Identity & Access Management plays a key role here. Enterprises must adopt federated identity using standards such as Security Assertion Markup Language (SAML) and OAuth. We have seen and also helped enterprises that use automation/orchestration as a means to enforce public cloud security. Some examples being automating hardening OS images, implementing controls so on and so forth.
There are compliance issues such as 'auditability', access to logs etc. which still need to be addressed satisfactorily. Governance, systems and processes can be put in place to address these issues as well.
Enterprises have to conduct their own risk assessments, device mitigation plans, implement and closely monitor them to ensure security of their data and services. There are standards and technologies that are available to support enterprises in such endeavors. We have seen many enterprises going down this path. As far as the few who still believe cloud security is an oxymoron, they will be the ones left behind, unable to reap the benefits of cloud in terms of economics and agility. However, my belief is that wisdom will prevail sooner than later.