The Yin and Yang of Cloud Security
There are two aspects of security in the cloud; as with yin and yang, they are complementary, interconnected, and both necessary to achieve an integrated, wholly secure cloud computing environment. Developing end-to-end security is complex even within an internal data center; it’s even more challenging in the cloud, where the provider and your company share the responsibility of protecting information assets.
Provider Responsibilities: Security of the Environment and Operating Systems
The first aspect of security in the cloud has to do with the security of the environment itself. This security is implemented and overseen by the cloud services provider. The provider is responsible for controlling physical access to the facility and implementing firewalls and other technology to monitor and block unauthorized access to their network.
It’s crucial to understand where the provider’s security responsibility ends and yours begins. Depending on your agreement with the provider, either they or you may be responsible for applying security patches to the operating systems to close vulnerabilities.
Company Responsibilities: Security of the Application and Data
Even though you’ve turned over the provision and security of the infrastructure to the cloud services provider, the security of the application and the data itself typically remains with the company that owns the data. While Software-as-a-Service vendors provide some security features related to access to the application and its data, such as implementing multifactor authentication, even in that situation, the company needs to oversee how users apply for and are granted credentials.
It’s common for end users to initiate cloud usage without going through the IT department or conventional procurement channels—the so-called “shadow IT” problem—so securing your assets in the cloud begins with defining and enforcing a cloud usage policy. A cloud access security broker can help discover unauthorized cloud usage and enable a single-sign on strategy that keeps credentials secure.
Cloud security providers may offer data encryption, but their solutions are often not comprehensive. They may not encrypt all data and may retain control of the encryption keys. Additionally, companies need to ensure that data is encrypted both while it’s stored and while it’s being uploaded to the cloud.
Achieving the Security Balance
To achieve security in the cloud, provider security controls and complementary company security controls need to work together to provide complete protection. Start by making sure you understand your agreement with the cloud provider, including incident reporting and incident response procedures. Conduct a complete review of your applications before migrating to the cloud so that you understand the risks involved and can choose public, private, or hybrid cloud architectures to protect data appropriately.
Prescient Solutions can help you design a cloud solution that meets your business needs and ensures that your information is protected. With our expert team’s advice, you can create a public cloud deployment that still keeps your data private, a hybrid cloud that ensures you share only the data you want shared, or a private cloud that lets you expand on demand without exposing data beyond your data center. Contact us for a free assessment of the risks and rewards cloud computing can offer your business.