Is the Public Cloud Safe?

- By Jawaid Ekram on October 02, 2015

While there is a lot of excitement around cloud computing and its benefits, security and compliance are the top reasons used for not migrating to the cloud.

In the last decade, there has been a tremendous amount of innovation coming out of companies running their businesses on the public cloud. Netflix, SalesForce, Uber, AirBnB are just a few examples. These businesses have taken the advantage of the public cloud. On the other hand, it is very hard to find innovation and wealth generation coming out of companies leveraging their legacy data centers (aka Private Cloud).

Most of the enterprises are still running legacy data centers. However, they renamed them as “Private Cloud.” These legacy data centers lack the functionality and agility offered by the public cloud.

Cloud security is a very emotional issue and the concerns of pubic cloud security sometimes come from lack of knowledge and from the fear of giving up control. CIO’s are held accountable for security regardless of whether they run their workload on the public cloud or private cloud. Keeping the status quo is perceived to a safer choice for their job.

The fundamental question is whether public cloud is safe from a security perspective. It may be counter-intuitive, but public clouds are far more secure than most of the private cloud. 

Bruce Schneier, an internationally renowned security technologist, called a “security guru” by the Economist, author of 13 books on security, best summarized his thought of public cloud as:

“My company, Resilient Systems, uses cloud services both to run the business and to host our own products that we sell to other companies. For us it makes the most sense. But we spend a lot of effort ensuring that we use only trustworthy cloud providers and that we are a trustworthy cloud provider to our own customers.”

There are hundreds of cloud providers, and the keyword is to find a trustworthy cloud provider. So companies like Amazon, Google, and Microsoft are the giants in cloud computing having an army of people who understand cloud infrastructure, networking, and security. Most enterprises cannot afford to match their technical capabilities. These cloud providers not only design security into their system, but they have dedicated security and networking experts to protect their customers whenever there is a cyber attack or a security breach.   

Today, CIOs have a hard choice in implementing clouds. Both public cloud and private clouds have a high-security risk. It all comes down to risk management and risk mediation. So choosing whether private or public cloud is a better option comes down to two factors:

  1. Minimize security risk: Security risk can be minimized by implementing proper technology and in having the proper process and controls.
  2. Security breach responses: No matter how the public or private cloud is architected, there is always a possibility that security will be breached. Thus, a company must have the technology, people, and processes to quickly respond to security breaches.

At a macro level cloud security can be looked in the following three layers:

  • Physical and environmental: The best practice is that data centers must have strict access control both at the perimeter and at building ingress points by professional security staff utilizing video surveillance and intrusion detection systems. Staff must pass through two-factor authentication. Visitors and contractors must be escorted at all times.
  • Infrastructure (IaaS): This involves management of servers, networking equipment, firewall, host operating system, and virtualization layer.
  • Platform and application: Maintaining the guest operating system (including updates and patches) and application software is under the control of the customer for both public and private cloud.

In an IaaS, the cloud provider operates, manages and controls from the host operating system and virtualization layer down to the physical security of the facility in which the service operates. Customers handle the management and control of the guest operating system (including updates and security patches), all application software and configuration.

There is a perception that since public cloud is running in a shared environment, it is not safe. The reality is IaaS cloud vendors have evolved from just providing shared environments to provide complete separation: such as physical and virtual private clouds, dedicated networks, and dedicated instances. In a hybrid and dedicated IaaS offering, the level of separation and isolations can be determined and deployed by the customer. Enterprise customers will be challenged to provide this level of isolation within their private cloud.

There is nothing unique about the technology used by cloud providers; the same technology is available to enterprises.  So the difference between the public cloud and private cloud comes down to simple focus and resources. 

You can safely presume that cloud providers always implement state of the art physical and logical security practices that might be not be affordable to a private cloud or a traditional data center operation. By virtue of economies of scale public cloud effectively offers the following to keep your data safe:

  • Advanced encryption – Most of the public cloud providers use Server Side Encryption - AES-256 (Advanced Encryption Standard) - one of the strongest algorithms available to encrypt your data.
  • Minimize security risks by following standard practices - Most of the top public cloud providers are now HIPPA, ISO, PCI, EU Data protection and other global security agencies certified. It simply means they have proper process and technology in place to safeguard your data.
  • Advanced tools to identify an attack - The public cloud provider deploys advanced tools to help identify the types of denial of service (DoS) attacks, including distributed, flooding, and software/logic attacks. When DoS attacks are identified, the cloud provider incident response process is initiated. As the cloud providers endpoints are hosted on large Internet-scale, they can effectively absorb a large DDoS attack. 
  • Quick and appropriate security breach responses - No matter how the cloud is architected, there is always a possibility that security would be breached. Here also the well-funded public cloud are better equipped in terms of manpower and technology for a quick and befitting response to any breach.

Security researchers have a 'responsible disclosure' protocol under which, when they discover the vulnerability in some software (OS, library, etc.) they will first tell the companies/organizations responsible for maintaining it. They will also tell large software and service providers like Amazon, Google, etc. who have millions of customers who can be put at risk if the vulnerability is known to malicious parties. This notice gives large cloud service providers a security advantage not available to individuals and enterprises.

The last two major security breaches (Wiki leak and Snowden) happened in very hardened private clouds and not public cloud. In both these cases, it was not a failure of technology but a failure in controlling the access.

Most organizations focus primarily on protecting themselves against hackers and external threats. However, more than 70% vulnerabilities come from internal breaches. One of the reasons for the high number of vulnerabilities is simply because many enterprises have lagged behind in responding to current technology trends due to lack of critical resources.

Bottom-line

Enterprises should feel comfortable with public clouds when dealing with trustworthy cloud vendors like AWS, Microsoft, Google, and others. Public cloud will allow an enterprise to innovate fast by taking advantage of all the new technologies and services available in the public cloud. When enterprise needs to implement private cloud for legal or legacy data integration reasons they should seek help from managed cloud vendors like Cisco, IBM, and HP. Private cloud, in general, will lack the agility and innovation.