Despite the popularity of the cloud and the momentum of many organizations making the shift from on-premise computing to cloud platforms, many are still concerned about cloud security. It makes sense; there is something disconcerting about how intangible the cloud is compared to having your own servers on site where you can see and touch them. “Your” cloud is being shared by other people; what if even one of them is a “bad actor”?
These fears have an impact on cloud adoption and cloud computing only accounts for about 10 percent of the hosting industry. But just because the cloud is out of your control and not under your roof doesn’t mean it’s completely out of your control. Having confidence in the security of one's cloud is paramount to an enterprise feeling in control again and trusting that the cloud is safe. But organizations need to take the first step by doing their due diligence before selecting their cloud vendor.
It might sound too simple, but the best way to feel more comfortable with using the cloud is to do your own research on whichever vendor you choose to use.
As Brian Castagna, Senior Director of Information Security at Acquia, told CIO Review in August, when you are looking to switch to the cloud, you first need to “make sure your security team is integrated with the business early in the procurement cycle. Get third-party audit reporting from the cloud provider, such as SSAE 16, SOC 2, and PCI DSS." Brian also expressed the vital importance of getting to know the security team at your chosen cloud provider, including visiting them in person.
Evaluating Security Compliance and Security Services
While there are many aspects of cloud security to consider when deciding whether to move to the cloud via a third-party vendor, two key areas to look closely at are security compliance (conformance with laws and regulations) and security services (software).
Security compliance is a series of controls and remediations dictated by different industries -- from ecommerce to health care -- including the government. It’s important to know when considering the move to the cloud, what information will you be storing? And does that data contain personally identifiable information (PII)? Different data in different industries requires different levels of security and compliance.
For example, if you’re a health care organization or doing work for one, not only do you have to be HIPAA compliant, so does your cloud vendor. If you’re a government agency, then you’d most likely look for vendors who have an “authority to operate” or ATO, from FedRAMP. For consumer goods or any organization with a commerce business where credit card transactions take place on your cloud hosted site, you’d want to make sure that your cloud vendor has Payment Card Industry Data Security Standard (PCI DSS) in place.
Many of these aren’t just guidance or best practices; some security requirements like HIPAA are actual laws.
When you’re storing any kind of PII in the cloud, you need to prevent hackers accessing it. This means you need to look for a vendor that has encryption in place.
However, encryption is but one step of many in a modern security process. In addition to implementing encryption, it is important to identify and close vulnerabilities in the application and the underlying platform. When setting up encryption, there are a number of considerations: Is it only encrypted when I store it or is it encrypted end to end?
Once you’ve reviewed compliance audits and encryption, even the most secure cloud needs Intrusion detection. This means anti-virus software and application firewalls to alert the security team to threats and contain them and place a barrier between hackers and your site. It’s not just a single instance but per every instance for a cloud implementation.
Every layer of the infrastructure needs to be secured, preventing access to load balancers and guarding against common tactics like SQL injections. All layers have vulnerabilities that require penetration testing to ensure security.
The Future of Cloud Security
Although public clouds will always be available, with security being such a concern, we may also see an increase in private clouds in the future. A private cloud can refer to either a cloud that is only shared with VPC or one that is completely isolated with no shared traffic or co-mingled server. Like public clouds, this will continue to be done virtually while increasing the level of protection each cloud has.
At Acquia, we provide both options -- public and private -- depending on client needs. This move started with the introduction of Acquia Cloud Shield two years ago. With Acquia Cloud Shield: the DNS (domain name service) and the sites’ IP addresses are both closed, locking hackers out who are looking to exploit any little hole. The reason for this is that even a small change can cause big problems. Private clouds allow for more control, allowing Acquia to provide its customers even more assurance, control, and comfort through encryption, penetration testing, etc.
In addition to offering many options to secure its customers’ cloud platforms, Acquia is taking a proactive approach to security rather than a reactive, defensive posture. We’ve set up the Acquia Cyber Defense Center for that purpose. From that control center, we scour the internet to determine where and when planned hacks might happen.
This level of vigilance is the standard for secure cloud operations now; as other cloud vendors, even our competitors have some type of security operations center (SOC). Security-conscious customers expect cloud providers like Acquia to have a SOC in place along with things like key management (KMS), incident response, intrusion detection, and monitoring. This continues to add layers of protection. We’re always looking for ways to be even more secure and compliant and minimize threats before they happen.