momius - Fotolia
Questions about the underlying security of the public cloud have largely subsided as adoption continues at a torrid pace. Still, IT shops struggle with the work to be done on top of the hyperscale platforms to fortify workloads.
Steps to improve transparency and familiarity with the public cloud have helped to allay fears about production workloads on the likes of Amazon Web Services (AWS), Microsoft Azure and Google Cloud Platform. But the shared-responsibility model still requires vigilance, especially as security experts work to understand how to handle emerging strategies around higher-level services and managing multiple cloud environments.
For the majority of the first decade of the infrastructure-as-a-service market, there was a constant refrain in IT circles that questioned whether the public cloud was production-ready. Somewhere along the way, that drumbeat quieted.
"I don't think I've had that question or challenge in the last 18 months," said Mark Nunnikhoven, vice president of cloud research at Trend Micro, a software security company headquartered in Tokyo. "The most common [questions are], where's the lifecycle for our existing environment, and how fast do we need to be transitioning to the cloud?"
Changes have helped assuage public cloud security concerns, but early adopters contend the key difference is perception. Security experts had been accustomed to putting everything behind a firewall -- a model that can sometimes cover all manner of sins inside the data center -- so the removal of that barrier meant a change in strategy.
In addition, the shared-responsibility model for security puts the onus on both the vendor and the customer. Now that the industry has moved beyond the early hype and hysteria around public cloud, IT pros have become more pragmatic and objective in how they address their security posture in these environments.
"When you see the jagged teeth of these things, you can start to fill in with compensation controls," said Jason Cradit, senior technology director at TRC Companies, an engineering and consulting firm for the oil and gas industry, which uses AWS as its primary cloud provider.
There's also increased trust in providers' claims that they can handle security better than most companies can do themselves. That's because they either have better tooling or better people, or both, said Richard Rushing, chief information security officer at Motorola Mobility. "The experience from a vast majority of cloud service providers is greater in sum than the experience you have on your own team and data infrastructure provider," he said.
Rushing cited redundancy as one example of that experience. He's gone to cloud providers to test the infrastructure and told them to kill an environment to see if the load balancer will switch over and everything will continue to work. It always does.
"If I went into our own data centers and did that, the networking people would all come out of the woodwork," Rushing said. "There's a confidence level that they don't have, and it's not because they didn't configure it right.
"It's just a lot of things -- complexity, switchover, failover -- that potentially create problems and things we didn't look at or see. And the cloud provider is there saying, 'We do this all the time. We do it for fun.' That's where that level of comfort has now started to come into play."
Another important change is the level of transparency these providers offer. Customers aren't allowed to tour data centers like they would at a colocation facility, but the facilities are now reviewed by major auditing firms that can provide an attaché to put customers' minds at ease. A slew of certifications tied to the U.S. Health Insurance Portability and Accountability Act and the Payment Card Industry Data Security Standard have also gone a long way in backing these vendors' statements about the underlying security of their platforms.
ProtectWise, a network security provider in Denver, went through its own Federal Risk and Authorization Management Program certification and found it to resonate with enterprises because it often goes beyond internal standards. And while not every company needs that degree of scrutiny, it can provide a level of understanding for customers who will never be able to see the inside of these data centers firsthand.
"When the visibility is made available and they look and have a realistic assessment, they think, 'Man, we have never pulled off [security] that exhaustive before,'" said Gene Stevens, ProtectWise co-founder and CTO. "The cloud service providers tend to execute a security model more broadly and more securely than … a traditional enterprise."
Cloud providers have also added a slew of security tools and features that organizations can use to aid in data protection, including data encryption at rest and in transit, web app firewalls and key management services.
Perhaps most importantly, however, controls around logging and identity and access management give customers more granular control and greater insight into workload security. The ability to audit some of the underlying infrastructure delivers proof for providers' claims about security under the covers, while access controls have allowed companies to enforce rules and policies in a manner they're more accustomed to. Those additional insights also enable customers to follow payments to address shadow IT and monitor and manage threat detection.
"[Enterprises] want to have these things, and I think probably that was why clouds were so scary to so many people," Rushing said. "Originally, it didn't have that visibility, but now you can get almost identical visibility that you can get on your local network."
New cloud services, new problems
Even as many of the early cloud security concerns have quieted, new questions emerge as higher-level services present opportunities for IT shops. Internet of things sensors and containers present challenges whether on premises or in the cloud, but others are more specific to the hyperscale providers.
One of the emerging technologies with new security concerns is what's called serverless computing. AWS Lambda is the most prominent of this new wave of function-based services that abstract much of the underlying decisions from the user. It still relies on Amazon's Simple Storage Service as the system of record, and CloudTrail can be used to monitor workloads. But Lambda functions lack access to the operating system, networking stack or other areas that typically provide security controls.
"We're still in the early days of figuring out what strong security looks like in those environments," Trend Micro's Nunnikhoven said. "It's an area where there's no off-the-shelf solution."
In addition to raising new questions, AWS Lambda also has the potential to answer some old ones. Some companies have started using it for automated response or remediation.
Sam BisbeeCTO at Threat Stack
"We're seeing more and more where someone takes an alert coming in or an auto-scaler and goes to a Lambda function so you can make changes or terminate instances or deactivate user access," said Sam Bisbee, CTO at Threat Stack, a cloud security provider based in Boston. "It's more automated disruption that has a better chance of actually dealing with the problem."
Most enterprises also have an amalgam of public clouds under their IT umbrella. Those initiatives are generally siloed among development teams, but creating an overarching security framework adds a whole new challenge.
"If it's hard to find a security expert that's also an AWS expert, then there are probably zero humans out there that are security experts, plus AWS experts, plus Azure and can explain all of those knobs and services to such a minute detailed view," Bisbee said. "The mapping of controls across different cloud providers is where things get really sticky."
Customers and security experts say it is important for providers to offer deeper visibility into the infrastructure, especially as highly regulated industries and critical workloads start to migrate to the cloud.
There's also a sense that getting deep-packet inspection and raw data could push cloud security beyond just compliance policy enforcement. By using those forensic capabilities and the scale of these platforms, customers will be able to cut down on the time to detection and democratize the ability to fully understand the scope of the problem and respond.
"Traditionally, that has been a luxury in network security," Stevens said. "But because of cloud's ability to innovate and scale out resources on demand and handle ludicrous amounts of data with ease, this has been an accelerant to making things work, and it will lead to a new normal [in workload security]."
Arm yourself against cloud security risks and challenges
Explore cloud security tools and strategies
Implement a shared responsibility model in multicloud