I was recently asked by the Cloud Security Alliance (CSA) to write a thought leadership white paper titled “Security Considerations for Private vs. Public Clouds” The paper, which I wrote before I joined Equinix, calls out some of the most vital security-related variables to consider when deciding whether to pursue a private or a public cloud deployment.
This decision is daunting for countless reasons, and the mountain of security-related variables to consider towers high among them. Barely a week passes without news of another high-profile security breach. That makes embracing a broadened IT perimeter seem risky, but it’s not as perilous as it might seem. If you are properly informed and do your homework, you can make a confident decision.
The reality is there are scores, if not hundreds, of security considerations. I’ve grouped some of the most important into four topics:
Business and Legal Considerations: These include requirements gathering, contracts, service level agreements, roles and responsibilities, and compliance and audit. There are three primary takeaways here. First, before you sign contracts and service level agreements, it is paramount that requirements – business, legal and IT – be painstakingly gathered and covered. Use your collective imaginations to address every foreseeable thing that can go wrong. Second, contemplate roles and responsibilities at a fine-grained level and make sure it is crystal clear what you will do, versus what the cloud service provider (CSP) will do. I recommend using the RACI technique, in which you create a highly detailed assignment matrix to divide roles and responsibilities. Third, make sure you get the first two takeaways right, because come compliance audit time, you will be held retroactively accountable for any mistakes that have occurred.
Physical Attack Surface Considerations: An attack surface is the sum of vulnerabilities that are accessible to would-be attackers. Physical attack surfaces include humans, and you will want assurance that your CSP has universally accepted best practices, such as background checks and employee non-disclosure agreements. Physical attack surfaces will also include data centers; you should hold a public CSP accountable to standards set forth in ISO/IEC 27001 or a similar information security standard. If you are wise, you’ll demand the same of yourself in a private cloud.
Virtual Attack Surface Considerations: These will include treatment of servers, storage and network devices. Be sure your public CSP has adequate controls in place to prevent compromise of trust boundaries. These considerations also include virtual operating systems and hypervisors. If sound, OS-hardening practices are not adhered to, it could lead to a compromise of the hypervisor, which at a public CSP can cascade to the compromise of trust boundaries for thousands of other tenants. (I refer you to the Venom bug.) Finally, consider the fundamental ingredients of management consoles and APIs. Keep in mind that they power the on-demand and elastic self-service aspects of cloud computing and are the moral equivalent of having physical control of legacy IT infrastructure.
Operational Considerations: One way that I like to look at security breaches is through the lens of efficiency, which is what operations management is all about. Consider that breaches at very large corporations have had recovery costs in the hundreds of millions of dollars, which is a huge hit to the bottom line, if not valuation. Ultimately, an enterprise operating with flawed security in the cloud is one operating with a low degree of efficiency. Considerations here include those pertaining to data migration; change management; logging and monitoring; and incident management and recovery.
You can download the whitepaper here.
You can also read more about cloud security by going to “Avoid Hybrid Cloud Gotchas: Data Security Strategies” or “There’s no crying in baseball or cloud security.”
Full disclosure: The paper was sponsored by Palo Alto Networks, which, purely by coincidence (really!), happens to be an Equinix customer.