Public cloud Infrastructure should be secured. Who is to ensure it? How to control cloud service providers? What indicates the cloud service is provided by a trusted party? This article reviews the above as well as some other security concerns.
Businesses are opting for the cloud more and more. The ongoing Coronavirus is intensifying this transition. Governments, NGO’s and enterprises of any size and profile are now subscribing to cloud provider services. A range of security concerns arise at this background ranging from the responsibilities to be distributed between the parties to the data integrity issues.
Cloud performance is subject to its user’s IT skills. A user who has already consumed some cloud services would be more cooperative and ready to perceive how the responsibilities can be delineated. Mature customers tend to have rules implemented governing the relationships with cloud service providers, as well as indicators for evaluating such cooperation.
The best-case scenario implies the customer is fully aware of the security arrangements at their disposal. The worst-case scenario is the customer anticipating the entire range of security measures to be included in the infrastructure as a service while few such services are available, or their quality is too low.
However, the transition to the cloud still provides structural improvements as compared to old non-cloud operations in terms of IT security. A rarely used option is to deploy the cyber protection mechanisms anew by adopting the provider’s up-to-date and protected utilities rather than fully outsourcing them.
Some vendors face criticism for limiting the services to channels, cores, and disks only instead of meeting the actual demands of their customers. Providers think customers are not going to learn the cloud technology from A to Z and that they need only to have features readily available, operating flawlessly, and offering acceptable security levels.
However, this narrative is true as long as the clients operate at the SME level. Big businesses stick to this approach and demand the capacities and features since they already have security strategies, teams, and tools.
Regarding the regulatory impacts in this sector, any intervention by the government establishing a legal framework increases the public cloud cost. Meanwhile, users may misunderstand the strict regulatory framework and require cloud service providers to offer better security.
IT security professionals need to be aware that a range of their responsibilities will move to the public cloud provider’s side. The IT staff of a migrating party should focus on the compliance and auditing measures built upon the rules laid down as the cooperation commenced.
Public cloud processes run flawlessly as long as the IT specialists arranging these workflows have adequate management skills and are able to leverage the majority of the measures and security tools at their disposal.
Upon deploying the cloud infrastructure and using it for a while, the organization is coming up with more sophisticated and essential questions and issues to its provider. Safe networks, protected web resources, and monitoring services are gaining significance for IT professionals. They are also becoming more concerned about how the provider monitors security events, responds to malware attacks, and reports on these issues.
Let me offer several measures to be taken when moving your infrastructure to the public cloud. In a nutshell, the sequence of arrangements and actions include as follows:
Security inversion is one of the approaches dominating the modern public cloud landscape. It calls for IT staff to focus on the user’s security rather than on the data center. This is reasonable since all IT systems are designed for people, and it is the people who are the most susceptible to attacks. A comprehensive approach to cyber security builds upon the inversion as it encompasses the whole variety of human activities in the IT infrastructure.
Unless trusted, cloud service providers cannot cooperate with their users successfully. Let me review critical and less important trust-building criteria.
The audit process helps the customer ascertain that the provider has implemented and follows all the necessary security procedures, including those that specify rules for interacting with contractors and controlling the work of system administrators. The audit would enable the customer to check whether the provider has introduced and complied with all the required security arrangements, including the procedures for system administrators and contractors.
Generally, a cloud service provider lacking trust is the one who has no trust in its staff members. There is only one way for the provider to prove it can be relied on. It is to show customers the inner world of public infrastructure and how security means work there.
Accreditation and certification as such do not win trust. Although certification does not increase confidence, its importance is out of the question as it ensures standard public cloud workflows.
Talking again about the confidence in service providers, I should remind that things like insider threats apply to every entity and cloud service providers are no exception. An effective way to prevent leaks of sensitive data is to record, store, and analyze all events that occur in the information system of the cloud provider.
It is a good decision to let a provider manage your data and computation power. Providers stick to uniform risk mitigations and abide by most security rules. I expect the migration to the cloud is going to continue. Businesses are going to work together with the providers in establishing trust in each other and building effective mechanisms to control security incidents.
Insurance companies are interested in a complete assessment of the provider’s protection mechanisms. Insurers will act as additional guarantors and auditors that will help to build better relationships between cloud service providers and customers.
Entities migrating to the public cloud are still greatly concerned with numerous security problems. Cloud service providers keep on reassuring these concerns are groundless. What they need to do is to learn how to make their potential clients trust a public cloud. The market is going to increase dramatically once parties settle down their interaction issues and set up a working communication.
David Balaban is a computer security researcher with over 17 years of experience in malware analysis and antivirus software evaluation. David runs MacSecurity.net and Privacy-PC.com projects that present expert opinions on contemporary information security matters, including social engineering, malware, penetration testing, threat intelligence, online privacy, and white hat hacking. David has a strong malware troubleshooting background, with a recent focus on ransomware countermeasures.