BOSTON -- Enterprises have warmed up to the public cloud with the belief it can be at least as secure, if not more,...
than on-premises infrastructure. But IT teams still need to fortify their cloud apps, and some increasingly rely on automation and infrastructure as code to do the job.
It's taken a long time for businesses' public cloud security concerns to subside. In fact, though, the security controls put into place on the public cloud are often more robust than a company's on-premises setup, in part because enterprises can tap into the public cloud providers' significant security investments, said Andrew Delosky, cloud architect at Coca-Cola Co.
"A hack on you is a hack on your vendors," Delosky said here, during a presentation at Alert Logic's Cloud Security Summit this week. "[Cloud providers] don't want to be in the news just as much as you don't want to be in the news."
While public cloud security concerns, in general, have dwindled, IT security professionals still take the subject seriously, said Bob Moran, chief information security officer at American Student Assistance, a federal student loan organization based in Boston.
"I think security professionals are the ones that are uncomfortable with cloud security because they don't understand it," said Moran, whose company's cloud deployment is mostly SaaS right now, but includes some trials with Amazon Web Services (AWS) infrastructure.
Adjust a security strategy for cloud
IT security professionals face a learning curve to evolve their practices and tool sets for cloud. For starters, they need to grasp the concept of shared responsibility -- a model by which a public cloud provider and a customer divvy up IT security tasks.
In AWS' shared responsibility model for infrastructure as a service (IaaS), the vendor assumes responsibility for everything from the hypervisor down, said Danielle Greshock, solutions architect at AWS, in a presentation. This means AWS secures the hardware that underpins its IaaS offering, which includes servers, storage and networks, as well as the physical security of its global data centers. AWS users are generally responsible for the security of their data, applications and operating systems, as well as firewall configurations.
However, the line between AWS' security responsibilities and those of its users can blur and shift, depending on which services you use.
"[With AWS Relational Database Service], you don't actually have access to the underlying server, so we patch the operating system for you," Greshock said. This is different than a traditional IaaS deployment based on Elastic Compute Cloud instances, where users themselves are responsible for OS patches and updates.
"Knowing what part you need to worry about is probably the key to your success," Greshock said.
Apart from reviewing shared responsibility models, IT teams can evolve their security strategies for public IaaS in other ways. Some tried-and-true tools and practices they've used on premises, such as user access controls, encryption and patch management, remain in play with cloud, albeit with some adjustments. For identity and access management, for example, teams will want to sync any on-premises systems, such as Active Directory, with those they use in the cloud. If they delete or alter a user ID on premises, they implement the change in the public cloud, as well.
But some organizations have adopted more emerging technologies or practices, such as infrastructure as code (IAC), to ease public cloud security concerns.
In traditional on-premises models, IT teams centralize control over any new resources or services that users deploy, and this should still be the case with public IaaS. But cloud's self-service nature enables users to spin up resources on demand -- sometimes without IT approval – and bypass that centralized control, said Jason LaVoie, vice president of global platform and delivery at SessionM, a customer engagement software provider based in Boston.
Jason LaVoievice president of global platform and delivery, SessionM
"With on-prem, you have an IT team with keys to the kingdom," said LaVoie, whose company uses Amazon Web Services. "But it doesn't always work that way with AWS."
SessionM uses IAC to minimize the security risks in cloud self-service. IAC introduces more frequent and formal code reviews, increased automation and other practices that minimize the "human element" of public cloud resource deployment, so it helps reduce risk, LaVoie said.
Coca-Cola, which uses both AWS and Azure for IaaS, has adopted a similar approach.
"The whole infrastructure as code is such a revelation," Delosky said. "Just being able to deploy the exact same application footprint, from an infrastructure level, every single time, no matter if you are in dev, test or production, with the same security controls ... that's a huge game-changer."
Another way enterprises can evolve their security strategies for cloud is to appoint a dedicated IT staff member to oversee a cloud deployment, often with a specific focus on security or governance. Some organizations refer to this role as a cloud steward, said Adam Schepis, solutions architect at CloudHealth, a cloud management tool provider based in Boston.
Others, such as Coca-Cola, have created a Cloud Center of Excellence to unify IT and business leaders, as well as line-of-business managers, CISOs and others, to outline goals, discuss challenges and more.
"For us, that was probably the most critical thing we did," Coca-Cola's Delosky said.
Build a solid IT security strategy for hybrid cloud
Google rolls out new key management features for cloud
Protect cloud workloads with Azure multifactor authentication