The CIO of Capital One, one of the largest banks in the US, made a bold statement in 2015 at a major cloud conference. “We can operate more securely on AWS than we can in our own data center.” Is this really possible?
In your own data center or on your own physical servers, you have complete control over everything. You install the software, network, and hardware so you know exactly how you set it up. You also manage it yourself, configuring every piece of equipment to your desired configuration. You could employ the most robust security, logging, and auditing processes possible. You have the ability to completely control and audit every detail and no third party would have access to any of your data without you knowing about it. In theory, because you tightly control every aspect of the environment, you really could be more secure.
In reality, companies are generally not in the business of securing infrastructure, maintaining servers or running data centers. Staff is spread thin and time is in short supply to implement, maintain, and audit complex, layered security best practices. Organizations should consult security staff prior to deployments and changes, but often they don’t. Companies make too many changes to review every change manually. Staff can’t keep up with the glut of security alerts. People find ways to bypass security controls and processes when they become a bottleneck. Logs get tampered with or even deleted. Encryption keys get stored insecurely on file systems. Multiple people manually update configuration files with little to no audit control. Lack of separation of duties enables one person with too much access to wipe out critical systems – inadvertently or intentionally.
Third-party cloud platforms offer a new approach to managing secure environments. First of all, the cloud provider and the customer share security responsibilities because the cloud provider maintains certain aspects of systems and networks that a customer cannot access. You may feel that you are losing control of security, but check out the security processes for your cloud provider and ask yourself if yours are better. If so, maybe you should continue your business outside of the cloud. However, if your cloud provider has more secure operations and processes than your own, you could be more secure in the cloud.
See the links below to learn more about the security processes of top public cloud providers:
In addition to offloading some security operations to a company that has certified processes and many security specialists, cloud platforms offer features that help improve security, if leveraged correctly. The following features of cloud platforms can help improve security for some companies:
- Inventory:
The first CIS Critical Control states that companies should maintain an inventory of authorized systems. Cloud platforms offer an automatic mechanism for maintaining an inventory by virtue of how they operate. Any time something is deployed on the cloud platform it is added to the inventory. The account owner can query what is running in their account. Cloud services offer different mechanisms for inventory classification such as Tags in AWS. By contrast, you’d manually have to maintain this sort of inventory for your physical on premise servers.
- Automation:
Companies can automate deployments on third-party cloud platforms more quickly, leveraging tools provided by the cloud provider. Automated deployment helps prevent human errors. Sure, you could build this automation in your own environment. However, most companies don’t have the resources to do this as quickly or as thoroughly as they can on a cloud platform. Leveraging the tools provided by cloud platforms helps companies get things done faster because the resources work together with built-in mechanisms for automated deployments.
- Third Party Auditing:
Third-party cloud platforms are designed to audit everything. For example, if you turn on the Cloud Trail service, AWS automatically and securely logs every action taken in the AWS system. If you set up user accounts and permissions correctly, AWS ties every action back to the individual who took the action and what they did. Since AWS maintains this service, companies know their own staff can’t change the cloud service audit trail. This allows companies with a small staff to maintain separation of duties and third party auditing without hiring additional people.
- Secure Log Storage:
In addition to logging the actions taken on the cloud platform, all systems can send logs for every action taken to the cloud platform. You can set permissions so the people and systems taking those actions cannot delete or alter the logs. Scalable, cost effective storage allows you to store logs longer with greater redundancy.
- Encryption and Key Management:
In some cases, third party clouds offer solutions for key management, which is a challenging task for many businesses. You can assign private keys managed by a third party, or bring you own key, in which case you need to ensure the key is well protected and never lost. Some clouds offer HSMs, automated key management and the ability to encrypt databases and storage with the click of a button.
- Event Driven Security Checks:
Some cloud platforms allow you to trigger security checks and auditing to block, alert or revert changes that don’t match security policies. For example, you might want to disallow uploading files that are not encrypted or creating networking rules that allow too much access. Rather than manually reviewing every requested change, security teams can write rules to allow or disallow actions in the account automatically. For more information, please read this white paper on event driven security automation.
Can you trust a cloud platform to keep your data secure? Just as you trust banks to store your money, you can decide to trust a third party to store your data. The key is choosing a provider with good security practices, and that’s where service level agreement, contracts and third party certifications come into play. Cloud platforms provide security details in their documentation and contracts. You can also refer to third party audits and certifications to verify a company does what it says. Finally, there is a reputation associated with a brand. While not always the case, well-known cloud providers have likely invested more in security to protect their reputation.
For many businesses, the potential exists for greater security in the cloud. A recent study by Schneider Electric states that 78% of IT respondents believe the cloud is secure. IT personnel are not always security experts and any company moving to the cloud still has to follow best security practices to avoid ending up like Code Spaces – a business that ran entirely in the cloud and was essentially deleted. However, if security is architected and implemented correctly, the cloud offers the opportunity for IT, security and software development to converge, and a chance for businesses to re-think and re-architect (or as Amazon says re:Invent) more security into their systems and processes. Hopefully the above criteria will help you evaluate whether your business could be more secure in the cloud. — Teri Radichel (@teriradichel)