Many cloud administrators have to make the case that cloud is just as secure, or more secure, than on-premises IT environments. And while there are still cloud security skeptics in the enterprise, they can ultimately play a key role in identifying pertinent cloud security issues. Ultimately, to win a cloud security argument, administrators should treat any concerns about the security of cloud computing as legitimate, and address them accordingly.
The first step to ease your organization's security concerns with cloud computing is to assess the security backbone of potential or current cloud providers. The simplest way to do this is by verifying a provider's major security certifications. Some important certifications to look for include the ISO 9001:2008 certification, ISO 27017:2015 certification, Multi-Tier Cloud Security Standard Level-3 certification and OC-3. Assessing the certifications of a cloud service vendor provides a good jumping off point for other assessment factors.
For instance, regulation compliance is also a good indicator of the overall security of cloud computing services or providers. If you work in highly regulated industries, such as finance or healthcare, regulation compliance is a must. Part of assessing a vendor's security level is recognizing the regulations -- such as the Health Insurance Portability and Accountability Act (HIPPA), Payment Card Industry Data Security Standard and Federal Risk and Authorization Management Program -- to which your organization needs to comply.
To properly address your compliance needs, look in-depth at the cloud service in question. Remember only some cloud services may be compliant with a particular regulation. For example, Amazon Web Services' EC2 instances may be used with applications subject to HIPPA regulations, but the SMS messaging service cannot.
Another hurdle administrators face when addressing concerns about the security of cloud computing is dealing with a dynamic infrastructure. Environments configured for flexibility and scalability rely on code to properly maintain the required level of security. Luckily, there are tools available for such a task. Tools such as Chef and Puppet, for example, enable the writing, testing and configuration of scripts, which minimizes the risk of configuration errors. Similarly, there are tools available for monitoring and configuring servers.
Tackling security concerns with cloud computing through shared responsibility
It is important to remember that cloud providers employ a shared security model. Generally, the cloud provider is responsible for securing its own network, the physical security of its facilities and the security of services up to and including hypervisors. On the other hand, customers are responsible for system and application security. These are the same responsibilities one would have with on-premises IT environments.
To hold up the customer end of a shared security model, there are some best practices to keep in mind. These include using hardened machine images, routinely performing vulnerability scans, using encryption for both data in motion and at rest, and using identity management services for access controls.
But, even with these best practices in place, security concerns with cloud computing still persist in many organizations. And one question, in particular, still lingers: can the cloud provide improved security over an on-premises environment? In short, yes. There are two main advantages to using a cloud vendor. First, cloud providers benefit from economies of scale. Because they can recover costs from their wide customer base, cloud vendors invest in security procedures that can be applied to a large number of users. Second, as a customer, working with a cloud provider frees up the IT security resources that would normally need to go into physical or hypervisor security.
Cloud providers offer an opportunity for users to take advantage of their security technologies and procedures. This allows customers to focus on delivering functionality and services that meet the specific needs of business users, while still protecting the confidentiality, integrity and availability of systems. This may be the most effective argument for addressing security concerns with cloud computing: cloud providers have demonstrated a commitment to security, have the ability to meet demanding standards and relieve customers of some of the overhead of IT security implementation and administration. If you opt to not take advantage of these benefits while competitors do, consider whether that puts your company at a competitive disadvantage.
Minimize risks through public cloud security testing
Overcome these common OpenStack security risks
Create a cloud governance strategy for 2016