When you’re making your cloud plans, security is always a consideration. However, with “cloud” referring to everything from a Dropbox account to private virtualized infrastructure to the public cloud, it’s easy to get lost in speculation. Here are five key points about cloud security to keep in mind in 2013:
1. There’s a lot of FUD around cloud security
Cloud security is a great headline and as a result we see a lot of stories about IT managers’ concerns about cloud. There’s nothing wrong with concerns, but it’s useful to look at data, too. And the bottom line is that it doesn’t make sense to assume that the cloud is inherently insecure. Logicworks partner Alert Logic publishes regular analyses of customer data comparing the threats detected in enterprise data center and hosted/cloud environments, and consistently finds that the rate of occurrence of incidents is similar in both, and the frequency is actually higher in the on-premises data center. Cloud security is a concern – because security is a concern in all IT environments.
2. That doesn’t mean cloud security isn’t different
That said, cloud security isn’t the same as on-premises security. For one, the types of threats seen are different. Those same Alert Logic reports find that web application attacks are more common in the cloud (affecting more than half of their customers), but malware and botnet activity are far less common than they are on-premises. So your approach to security should be taking those differences into account.
3. You can’t just move a traditional security solution to the cloud
The cloud has challenged a lot of traditional enterprise security providers. How do you secure a perimeter that is porous, encompassing on-site assets and elastic cloud instances? How do you monitor hosts that may exist for just hours? How do you implement create zero hardware footprint solutions? Cloud security is more than a virtual security appliance — it requires solutions designed for cloud deployment, which brings us to a final point:
4. Your cloud provider is central to your cloud security plans
Good security starts with frank discussion with your cloud provider. You’ll want to understand the security solutions they provide. You need to have a clear understanding of responsibilities at the application layer, so that when you have an incident it’s clear who owns what for a speedy resolution. And since one of the basic ingredients of security is good management (such as patching and configuration management) you should ask questions about these processes.
5. Managed Service Providers hire the experts
The reality is, unless you have a large budget to hire the range of talent that is required to manage a thorough and fully considered security layer on top of your infrastructure, the staff dedicated to such tasks are probably not as specialized as they need to be. That is not to say that these employees can’t do the job. However, in working with a cloud vendor, your business can access a deeper array of dedicated and highly knowledgeable and experienced staff that can better apply best practices to your properly secure your infrastructure.
Cloud security is a new area but it shouldn’t prevent you from taking advantage of the efficiency and flexibility that virtual infrastructure offers. As you make your 2013 plans, start talking security with your provider and you’ll be on the right path.
By Jake Gardner