By Chris Riley
Security is still cited as one of the primary reasons to avoid the public cloud. Once upon a time, these concerns made a certain amount of sense. The security tools available from public cloud providers in earlier times were less advanced.
Today, however, we have moved past that age. Even though some people still think the public cloud is insecure, and organizations may still be hesitant to adopt the public cloud for that reason, this mindset will stifle efforts to innovate via the cloud. It will prevent organizations from gaining the cost benefits, application deployment advantages and agility that are products of a cloud-first strategy.
This article explains why the public cloud, when used properly, is as secure as any other type of deployment environment — and may even be more secure in most situations than other deployment options.
Security Types and Approaches in the Cloud
The phrase “IT Security” is just a way to start the conversation, because “security” is a blanket term for a class of technologies and practices. The technologies are:
1.) Network Security
2.) Application security
And the practices are:
Each dimension has a set of processes, best practices and tools that accompany them. And organizations can specialize in one area over another (for example, most large enterprises have a lot of experience in IT and network security prevention, but little in detection, remediation and application security).
Security is Part of Public Cloud Hosts’ Business
For cloud providers, security is part of the service they provide. Customers expect their public cloud provider to put deliberate effort into preventing attacks, responding quickly if one happens, and staying ahead of modern types of hacks.
Because it is part of their business, they invest a disproportionately higher amount in security than the typical organization. And the types of experience they have are rooted in datacenter-level security, instead of what most organizations have, which is experience in traditional IT security.
Enterprises are not in the business of security. They will generally not staff up enough and procure the best technology to address it — nor do they typically have a 24/7/365 network operations center, and teams dedicated to understanding the trends in hacking. They’re also not as likely to invest in penetration testing, which helps organizations discover vulnerabilities in their software and infrastructure before they are exploited by attackers.
This does not reflect on the quality of the organization’s IT department. It just means that it’s not core to their business. Where IT organizations in enterprises excel is in IT security for the corporate end user, and many organizations have well-established and hardened solutions to protect their end users. But they cannot say the same for applications.
This is the first place where public cloud security is a huge benefit. It’s a separation of concerns. By offloading compute workloads that are not in the domain expertise of enterprise IT departments, people can focus on the systems and security considerations that are.
There are two areas where security concerns can garner some attention.
1.) The public cloud’s ubiquity invites more attacks: This argument is built on the premise that because it is more popular and has more users, it attracts more hackers (like hunting fish in a barrel), and a private cloud is less known, and draws less attention. This argument has weight; however, hackers generally know that private clouds have more back doors, and targeted enterprise attacks have greater ROI. High-stakes hackers target specific enterprises with specific goals in mind. Their attacks are more sophisticated than those scanning ports on a public cloud IP range, which contradicts the primary concern. (By being secluded, you actually might be attacked more.)
2.) Cloud providers’ employees have access: Most public cloud providers can give plenty of proof of internal processes that prevent internal employees from accessing your services, compute and data. Regardless, you are still in control, and consequently, you should do what it takes to have proper access controls and security.
You are in Control of Your Cloud
When you move workloads to the public cloud, you maintain control. There are a number of steps you can take to enhance security, such as the following:
Password-protect your VMs. This is the first most obvious example. Identifying VMs is not difficult. If your VM is easily accessible, that is a security mistake you have unfortunately made.
When you purchase compute and services from the public cloud, you are still in control. This means you get to enforce your policies, and implement all the same security practices that you have for your private cloud. Not only do you have the same level of control, which immediately diminishes the vast majority of key concerns, but these services have also developed additional tools. Cloud providers have created tools such as monitoring, access controls, and network isolation for greater security — often with newer technology than most organizations have available on-premises.
IT organizations gain a lot by offloading a large portion of their security concerns to public cloud providers. They get to focus more on strategy and policy creation, which are not only higher- value activities, but are also more fun for most. In addition, organizations today may gain better overall security by relying on the advanced security tools that cloud providers offer instead of in-house technologies that are difficult to manage and may not be ideally suited for the deployment environments that they support.
The complete pros and cons list of reasons to offload security to the public cloud is beyond the scope of this post, but suffice it to say that it contains far more pros than cons.
If you’d like to experiment with the public cloud for application deployment, you might consider the current offer of $300 in free credits to new users on Alibaba Cloud, the first public cloud provider to obtain C5 compliance certification.