As the 12 security breaches that shaped history illustrates, information theft was going on long before the birth of Edward Snowden or the cloud. In fact, one of the most famous traitors of the 1600s, England’s Guy Fawkes, is the now the face of this century’s most infamous and “anonymous” hacker network.
In this second installment of our series, Avoid Hybrid Cloud Gotchas, I’ll discuss some of the issues that chief information officers (CIOs) and chief security officers (CSOs) face as they try to find the line between their company’s security boundaries and the protection offered by cloud service providers.
Maybe it’s not the cloud’s fault
So why does data security rank second in InformationWeek’s 5 Top Hybrid Cloud Gotchas, even when its own Cloud Security and Risk Survey demonstrated that it’s not necessarily cloud security that is the issue? The InformationWeek survey showed that over half of the respondents that are using or considering using public cloud services admit that cloud service provider (CSP) security controls were “on par with, if not superior to, their own.”
From my experience working as a security practitioner within Equinix’s Global Solutions Architects team, many CSPs have built secure infrastructures and services that go well beyond what any enterprise would ever invest in or could afford. Enterprise IT and security organizations need to consider that it might not be the CSPs’ security policies and procedures that they need to fear. Perhaps they should take a look at their own practices.
Come on, let’s be fair
In general, public cloud providers have built to a common denominator for security policies, procedures and technical controls. In the “shared responsibility model,” the CSP provides the same thing to each company, expecting enterprise IT and/or security organizations to cover the gaps between their own security solutions and the CSP’s. It is a popular, though hardly satisfying, response from many CSPs to reflexively tell a customer, “If you’re concerned, then encrypt it.” This response is not as glib an answer as it sounds. The mantra that “security is the #1 barrier to cloud adoption” has been used as a blackjack to the head of cloud providers for the past four years. They got the message, listened to their customers and are adapting.
I believe that CSPs are adopting a strong posture and policies tailored to the security needs of the enterprise IT market. For example, both Amazon Web Services (AWS) and Microsoft Azure have implemented many security-minded features aimed squarely at the enterprise buyer, such as identity and access management. AWS and Azure are both compliant with security standards, including SOC, HIPPA, FedRAMP and ISO 27001. They are also members of the Cloud Security Alliance, an independent industry organization that promotes the use of best practices for providing security assurance within cloud computing.
It’s very difficult to fairly and precisely determine the right level of security controls and mechanisms every CSP should employ as the protective underpinning for each of its services. Enterprise security is a business where you are incented to dictate outlandish requirements that a CIO or CSO could never fulfill. Enterprises need to have realistic expectations of the security provided from a multi-tenant, utility service provider and NOT force unrealistic, excessive requirements that they themselves could never meet.
Identifying where the lines are drawn between a company’s enterprise security and a CSP’s is only half the battle. In my next post on hybrid clouds and data security, I’ll discuss how companies can develop an enterprise IT security strategy that incorporates the adoption of cloud services within existing policies and practices.
Read the next part of the “Avoid Hybrid Cloud Gotcha” series.