Why moving to the cloud can help boost security and compliance [Q&A]
Although the adoption of cloud services has increased over the past few years, many organizations are still unwilling to make the move to the cloud due to security and compliance concerns.
But Jim Hansen, VP of product marketing at security management firm AlienVault argues that companies with limited resources and budget should actually consider moving to the cloud in order to benefit from stronger security and compliance, in addition to other business benefits. We spoke to him to find out more.
BN: What are the business advantages of moving to the cloud?
JH: Cloud computing has proven to be more cost-effective than building, maintaining, and supporting a traditional data center environment. Data centers require physical space, power, air conditioning, cabling, and additional gear to support user access and movement of data in, out, and throughout the data center environment. Combine this with the software and hardware that has to be purchased and deployed and the costs add up very quickly. Of course, let's not forget that data centers, systems, and applications all require qualified people to manage them, as well. And with Cybersecurity Ventures predicting a shortage of 3.5 million cyber security professionals by 2021, it will be critical for organizations to deploy technologies that enable the IT organization to focus on meeting business objectives instead of just building and maintaining the systems that run the business.
Cloud infrastructure providers, in contrast, make it easier and more cost-effective for an organization to bring online new systems when they are needed. The infrastructure provider deals with the 'data center' and all of the costs associated with managing the underlying systems. The infrastructure providers operate at scale, which enables them to keep the price points low and allow organizations to keep their costs significantly lower. They buy what they need without having to think about how to expand or even spin up new data centers to align with their growth.
We are seeing a similar trend with software vendors moving their applications to the cloud as well. Why? It makes it much easier to deliver software solutions to customers from the cloud and helps to significantly reduce operational costs for the customer. The customer doesn't need the data center and all the costs associated with that, and they can focus their resources on using the product while the software vendor maintains it. The operational cost to use a cloud service is much less than having to manage and maintain the software itself.
A customer needs only to decide what they need, turn it on, and start using the system, enabling them to elastically expand or contract their infrastructure as needed to support their business needs.
The cloud also enables companies to be more agile and flexible as their organization grows. From a systems and software perspective, the cloud allows them to elastically expand their infrastructure and immediately start using systems and applications when they need them versus having to plan, spend, and often wait for data center space to be available. In addition, because cloud vendors are the ones that manage IT and infrastructure issues, employees can focus their efforts on other strategic initiatives. Also, because the cloud houses data, files, and systems in a centralized location, companies that take advantage of the technology can offer telecommuting options to their employees. Finally, the ability to access information and systems from anywhere, on any device, and at any time helps employees to be more productive.
In short, with cloud computing, organizations can affordably and quickly scale, bypass costly expenditures on hardware and upgrades, and make data and systems more accessible to remote and disparate teams. Gartner predicts that global public cloud services revenue will reach $260 billion this year, and, given the delivery model’s many benefits, it’s easy to understand the demand.
BN: Given all these benefits, why are some organizations still unwilling to migrate to the cloud?
JH: Despite the many technology and business benefits cloud computing provides, underlying security concerns have prevented many organizations from making the leap. Cloud vendors, who are being increasingly scrutinized due to vulnerabilities caused by misconfigured cloud technologies, have not fully assuaged these concerns. Since vulnerabilities provide an easy way in for cyber criminals looking to infiltrate corporate networks, this has led many organizations to falsely believe that they can more effectively secure their own systems and data.
In addition, many organizations are unwilling to move to the cloud for compliance reasons -- they just don't want to give up control and let data leave their premises. Furthermore, because cloud computing infrastructure is dynamic and scalable, it changes more frequently, adding a layer of complexity to monitoring cloud environments.
Together, these factors have led to the notion of IT arrogance, i.e., IT teams believing that they are in a better position to provide security than anybody else.
BN: Why are cloud providers more capable than in-house IT teams of securing an organization’s data and systems?
JH: To help answer this question, we need to look at the cloud through two distinct lenses: infrastructure and SaaS services.
First, let's focus on one of the biggest cloud infrastructure providers -- Amazon. Amazon’s security practices are above and beyond what most highly sophisticated companies can achieve on their own. Amazon, and other trusted cloud players, make protecting infrastructure and customer data a top priority, and they apply large budgets to go above and beyond the necessary security requirements, third-party verifications, and continuous compliance certifications. This is in contrast to in-house IT teams, whose members often wear multiple hats, with security being only one of their many time-consuming, resource-intensive responsibilities. The efforts that Amazon and other infrastructure providers go through ensure that the physical infrastructure and systems are protected. Of course, let’s not forget the Shared Responsibility Model (discussed below), which has to be taken into consideration when using any cloud infrastructure.
This leads to the second lens: SaaS services. Most SaaS vendors leverage some kind of public cloud infrastructure such as Amazon, Azure, or even Google Cloud, and others. This is largely because the security efforts that Amazon and others apply to their infrastructure are significant and can be trusted far more than trying to build it themselves. Of course, relying on Amazon’s security alone is not sufficient to deliver a service. A SaaS provider also has to appropriately secure their own infrastructure. They go through similar efforts to apply the necessary security requirements and validate their efforts through third-party verifications and continuous compliance certifications.
The combined security controls between the cloud infrastructure provider and the SaaS service provider are significant and nearly always far above and beyond what any organization can achieve on their own. The result is a highly secure, continuously monitored environment that trumps most self-managed data center infrastructures.
BN: What is the Shared Responsibility Model and why it’s so important?
JH: Under the Shared Responsibility Model, a cloud infrastructure provider is generally responsible for ensuring the physical security of its data center, including building access, network, and server hardware, as well as oversight of the hypervisor hosting virtual machines. On the other hand, the customer is responsible for securing the operating systems, applications, and data running on cloud accounts.
Cloud providers have a shared interest in your security and provide services to help you more easily implement security best practices for controlling access and limiting network exposures. In fact, they even supply tools that work in conjunction with your cloud-based security management tools to help you better defend your virtual environments, e.g. AWS CloudTrail provides visibility into the actions being taken by both legitimate users and bad actors operating in your cloud environment.
While many traditional security tools, such as firewalls, file integrity monitoring, and centralized logging remain effective as you expand your perimeter and move data into the cloud, adding layers of security measures that are purpose-built for the cloud can help you to better secure and monitor the full environment.
BN: What factors should organizations consider when evaluating cloud providers?
JH: There are five key questions that organizations should ask when evaluating the security of cloud providers:
1 Does the cloud vendor have the appropriate security controls in place? Make the vendor prove they are secure. Ask the cloud vendor to share with you the explicit details of how they protect your data. Look for key control frameworks such as SOC 2 Type 2, PCI DSS, and others such ISO 27001 and HIPAA compliance. Having this information will give you confidence that they have invested in the right security to protect your data.
2 Does the cloud vendor respond to issues quickly and effectively? Review the vendor’s status page. Every cloud provider provides public-facing information about their incidents. Take the time to read through it. If they have had an incident, how did they respond? Was the response clear? Was it timely? Was it responsible? Cloud vendors will sometimes have issues. This is okay. Their ability to detect, respond to, and quickly deal with the incident will give you confidence that they have appropriate processes and controls in place.
3 Does the cloud vendor keep your data segregated? Managing your data and keeping it separate from other customer’s data should be a top priority for a cloud security vendor. Ensure that the vendor does maintain appropriate customer data segregation so that there is no data bleed. This will require you to ask the vendor about their cloud architecture and how they maintain the data in their systems.
4 Does the cloud solution make financial sense for you? Calculate the total cost of ownership (TCO) to work with a particular vendor. Don’t forget to factor in data center costs, people costs, maintenance costs, upgrade costs, and support costs.
5 Does the cloud vendor offer a managed service option? Some vendors just offer technology. Others offer a full-service security monitoring solution either themselves or through their partners. Understand these options and leverage one of these providers if you need additional help.