There are a lot of security myths about cloud security needed to be clarified. One is that a lot of people think that as soon as they give something to the cloud, they do not have to worry about compliance with security. That is absolutely not correct. If you are a business, your clients are looking at you for security. Whether you go to the cloud or you do it internally using your private infrastructure, that doesn’t change your responsibility in terms of who owns compliance to security. There needs to be a very clear demarcation line.
The second myth has to do with black and white, that either cloud is insecure by default or cloud is secure by default. None of that is correct. It really depends on the controls. You’re not reinventing or eliminating any controls. You’re just moving where the controls reside and changing who owns the controls. Cloud by default is neither insecure nor secure, end of the day it’s how everything is implemented and how the data flows.
The third myth states that data is encrypted all the time. It really depends, and that’s a big myth. Some cloud service providers encrypt your data; some do not. You need to find and understand how your data is handled. Does your service providers have the key or does not. It all depends on the model of the cloud. Whether you are at box.com or Dropbox or Salesforce, it all depends on various processes that they’re doing on your data and whether your data is really encrypted or not.
The next myth: “It’s my data, I’ll get it back when I need it.” It’s not necessarily, it depends on where typically the data has been residing. And there are country specific laws that you need to know and understand how to get your data back. There are a lot of other myths about cloud, and I will touch upon some of them bellow.
There are plenty of cloud models and services: IaaS, PaaS, SaaS. There are even the different layers of services that cloud service providers offer. And then you have the modules: private cloud, public cloud, hybrid cloud. One needs to take a decision whether the data stays completely in a public cloud or in the datacenter, or it’s a hybrid model. One needs to understand and manage the risks around going into the cloud in terms of planning, management.
Cloud security considerations, whether it is compliance, identity and access management, service integrity, endpoint integrity, information protection, IP specific protection, all needs to be taken into consideration no matter how you are using cloud and for what reasons.
There are various use cases for the cloud: website hosting, disaster recovery, test and development, seasonal capacity, eCommerce, etc. So again at the end of the day, you need to do a proper assessment, whether it’s a vendor assessment, what model to select, how vendors deploy various architecture, what are the security ramifications of going to the cloud and last but not least, the financial analysis.
One needs to go through the full cycle. And do not follow blindly, if your competitor has gone to the cloud, should I go to cloud. Maybe, maybe not, your and your competitors may differ. Cloud is just an enabler. It really depends on what are you trying to provide to your clients, to your organizations. Are you using the cloud for apps, for transportation, for advertising? All these various scenarios depend on whether you are doing a cloud or not.
The final takeaways: cloud can be a great enabler, but at the end of the day, one needs to understand that s security breach in an environment, especially a cloud environment, can have a huge negative impact on your reputation and finances. Cloud is not one-size-fits-all. One really needs to understand the details picking a specific cloud model. You do not start with: “I want to do cloud.” You have to start with: “What do I want to achieve, what’s my end goal, is cloud the right model for me.”
[su_box title=”About David Balaban” style=”noise” box_color=”#336588″]David Balaban is a computer security researcher with over 10 years of experience in malware analysis and antivirus software evaluation. David runs the www.Privacy-PC.com project which presents expert opinions on the contemporary information security matters, including social engineering, penetration testing, threat intelligence, online privacy and white hat hacking. As part of his work at Privacy-PC, Mr. Balaban has interviewed such security celebrities as Dave Kennedy, Jay Jacobs and Robert David Steele to get firsthand perspectives on hot InfoSec issues. David has a strong malware troubleshooting background, with the recent focus on ransomware countermeasures.[/su_box]