Public Cloud Security: Common Concerns and Solutions

Public cloud adoption in the enterprise has grown to 91 percent, according to RightScale¹, but despite this widespread use, concerns about security haven’t gone away. Deservedly or not, the perception public clouds aren’t as inherently secure as other environments has been tough to shake.

Those concerns aren’t stopping businesses from housing data in public clouds. In fact, its use is substantially higher than private cloud adoption, currently estimated at 72 percent. Public clouds, after all, offer hard-to-resist benefits – cost effectiveness, elasticity and efficiency among them. But for peace of mind, if nothing else, business and IT leaders must carefully choose which data to house in a public cloud vs. a private cloud  or on premise infrastructure.

These decisions require strategic thinking to put proper security controls in place.

Understand the Environment

Public clouds, as the name indicates, are publicly available for use by anyone with an internet connection. Clouds such as Dropbox and Apple iCloud offer some services for free, but generally speaking public cloud services are available by subscription.

Trusting data assets to the public cloud requires an understanding of the associated risks and rewards. You need to know where your responsibilities and obligations of the public provider end, and where yours begin. Moving to the cloud does not abdicate your of the need to be diligent when putting appropriate controls in place. Never assume. While the public cloud offers cost, flexibility and scalability benefits, it also has a downside. Think of it as living in a crowded apartment building. You want to install good locks and window shades to keep out nosy neighbors.

Any data in the public cloud has to travel through the open internet – much like hallways are shared with neighbors in apartment buildings. While it’s possible to secure data in motion by encrypting it, the data is still sharing pipes used by a multitude of other public cloud customers. And when it arrives, there’s a chance it could be viewed by the wrong eyes.

You’ll want assurances from the cloud provider – the landlord, if you will – that the environment is secure. The data should reside behind a firewall in a facility with both physical and cybersecurity controls. Your provider should follow best practices and update the cybersecurity infrastructure regularly to keep up with a threat landscape that changes constantly.

Visibility is another consideration. Find out how much visibility the provider allows you into your own data and what controls are in place to block other users of the same public cloud to access it. What kind of reporting does the provider deliver on the status of your data, and is it enough to meet your requirements?

Make Data Decisions

When choosing a public cloud, do your homework so you can make sound decisions on what types of data to trust to the cloud. As a rule of thumb, companies keep their most sensitive data – medical records, financial documents, intellectual property and proprietary competitive data – away from the public cloud, opting instead for a private cloud or on-premise environment that gives them more control over administration and security.

Healthcare and financial data is subject to strict regulations that prescribe what types of security controls must be in place and, as in the case of Europe’s General Data Protection Regulation, where it can be housed geographically.

But certain types of applications, such as email, collaboration and productivity suites, are more suitable to a public cloud. Of course, they still need security but the requirements typically aren’t as stringent. You’ll still need security controls on your end such as encryption, strong authentication policies and least privilege user rules.

Rein in the Rogues

Another important aspect of public cloud security involves reining in rogue cloud use. In what is referred to as “phantom IT,” businesses units sometimes sign up for cloud services without IT approval. This can create security risks if corporate-sanctioned access controls and policies aren’t in place, possibly inviting a cyber-attack.

And we all know the consequences of a cyber attack: Downtime, productivity and revenue losses, remediation costs, possible regulatory fines, and loss of trust with customers. No company ever wants to be in that position. So whenever considering the use of a public cloud, be sure to:

• Understand the provider’s security controls
  
• Define yours and the provider’s responsibilities
• Implement security controls such as user authentication on your end
• Choose the right data to reside in the cloud
• Keep abreast of any changes at the provider that might affect your data

In fairness, public cloud security has been the subject of more skepticism than it deserves. But that doesn’t mean organizations should be cavalier about what data and applications to house in the cloud. The more upfront research you do, the better your chances of coming up with a solid security strategy.

Click here for more information on how we can help you build a cloud security strategy.