Doing things the way they've always been done can backfire. And not adapting security measures to public cloud is like trying to fit a square peg into a round hole -- it doesn't fit and there are bound to be gaps.
"Our technical architectures are brittle when we try to apply them [to the cloud]," said Jim Reavis, co-founder of the Cloud Security Alliance. Traditional security methods -- relying on the firewall to monitor traffic -- don't exist in the cloud.
Data centers have firewalls that offer the first line of defense. Many IT pros use security apps and data analyzers on top of that to capture packets going in and out. With cloud, companies don't have physical access to the system, so "there are more nuanced ways you have to apply security controls," Reavis added.
Developers also make the mistake of relying too heavily on the IaaS provider's security layers, said Justin Franks, lead cloud engineer, Lithium Technologies. Because Amazon Web Services (AWS) security groups, for example, are easy to use, developers may not take the extra steps to edit or manage additional layers of security.
Public cloud does have a security leg up over traditional data centers; cloud providers monitor data and alert customers to malicious activity. Providers also continue to roll out more security services and offer more visibility with access to log files, but those services tend to be a la carte.
"There are thousands of cloud services, so the onus is on the consumer to find out there's no uniform approach to how much visibility [the vendor] provides," Reavis cautioned.