The cloud is the future of business and offers limitless opportunities to optimize operations while minimizing capital expenditures. As part of its flexibility and scalability advantages, the cloud has changed the way organizations collect, store, and manage data — and it has introduced a new security landscape.
That changes have led to a number of high-profile breaches with serious business consequences. In 2020, as a result of a misconfigured Google Cloud storage bucket, hundreds of conversations with patients using Pfizer medications were revealed, and both personal and medical information was exposed. Additionally, 16,000 accounts lost access to WebEx Teams after an employee who had left Cisco five months earlier was able to log back in and delete 456 AWS virtual machines.
Headlines like these are a wake-up call. To stay secure while embracing the cloud, your organization will need a security program that takes into account the differences between cloud and traditional security.
The Two Paradigms: Traditional IT versus the cloud
In a traditional IT environment, data and services are hosted on hardware that is on-premise, or in infrastructure leased from a third-party data center. The benefits to traditional IT systems include more control over how data is stored and transferred and the use of technologies with which staff have more training and experience. However, traditional infrastructure is often more expensive than the cloud. It is also less flexible if a business’s goals include expanding in size or quickly adding new services.
A cloud model features infrastructure (i.e. servers, storage, and network devices) that exists in software as opposed to on-premise hardware. There are three general categories of cloud infrastructures:
- Public Cloud infrastructure runs on publicly available commercial services, like Google Cloud, Amazon Web Services, and Microsoft Azure.
- A Private Cloud may use similar virtualization and management technologies as public cloud platforms but instead runs them from hardware and data-center space controlled by the business itself.
- A Hybrid Cloud environment takes advantage of on-premise, private cloud, and public cloud services. Most businesses that adopt cloud technologies use a hybrid setup. A hybrid cloud provides a business with the speed and agility of cloud computing but leaves them with the flexibility to keep more sensitive data on-premise.
How Cloud Security Is Different
Though integrity and privacy remain goals no matter what kind of computing environment a business uses, securing a traditional environment differs from securing a cloud environment. As your business considers moving into the cloud or expanding its cloud operations, keep these differences in mind as you make security plans.
Though modern cloud services have sophisticated security capabilities, the technology stacks used in traditional and cloud services differ markedly. Because on-premise solutions and cloud solutions often don’t directly map, security misconfigurations are a common risk of cloud adoption by businesses that do not have internal cloud-security expertise. Even if a cloud platform offers security services or components that theoretically solve a business’s problems, a lack of expertise means a business may either choose components that do not meet their needs or configure security settings in a way that leaves their data and their environment open to attackers.
The Importance of APIs
In a traditional computing environment, devices talk to other devices on the network to access necessary data that isn’t stored locally. However, in a cloud environment, devices instead communicate and retrieve information via APIs. API functions can expose valuable information to attackers. Securing a cloud system requires API access to be configured under a principle of least privilege, and API calls should be encrypted to minimize the opportunity for attackers to discover information via intercepted communications.
Security and infrastructure teams are often better trained on securing and encrypting on-premise data, which they have been doing for years. Data security in the cloud requires different considerations and procedures.
In the cloud, data-storage infrastructure (e.g. Amazon S3 buckets) offers robust security and encryption options, both for data at rest and data in transit. However, a lack of expertise can lead to data exposure, because cloud configurations do not correspond directly with on-premise data-security options.
Public and hybrid cloud environments also require multi-tenancy considerations. Though any environment requires a business to make appropriate plans regarding the sensitivity and protection of data, the threat of compromise in a multi-tenant environment requires additional thought from the perspectives of both regulatory and business risk.
Whether you are on-premise or in the cloud, regular penetration testing is a necessity. Testing verifies that the controls your business thinks are in place are properly implemented and are providing the protection your business needs. Penetration testing techniques differ with cloud services; testing the effectiveness of controls in a cloud environment requires deep knowledge of the technologies, configurations, and APIs that cloud services depend upon. They also require the ability to adapt and learn as new cloud technologies emerge. When selecting a penetration testing partner for a cloud environment, consider both the company’s cloud experience and their demonstrated ability to learn, evaluate, and test emerging technologies.
Securely Embracing the Cloud
The decision to move to the cloud brings scalability and flexibility advantages that help keep your business competitive. Considering security early in the adoption process will help your digital transformation progress smoothly and ultimately more efficiently as you avoid security issues that can hinder timely delivery. Knowing the difference between cloud security and traditional security can help your business meet the twin challenges of modernizing your infrastructure and staying secure.
To learn more about how Security Compass can help your business adopt cloud technologies securely, get to know our cloud security services or contact us to discuss your cloud security needs in detail.