For as long as public cloud services have existed, we’ve been hearing about security concerns as one of the main barriers to wider adoption. There’s a long-standing perception in the industry that things start going terribly wrong as soon as corporate data moves outside the corporate firewall.
We’ve seen this before in the enterprise computing world, with the BYOD-induced panic just a few years ago, when IT managers balked at the idea of storing corporate data on personal smartphones.
The perceived risk of public cloud is not based on fact, but on anecdotal evidence and news headlines. But are services like AWS or Azure really any less secure than their on-premises counterparts? And what about OpenStack-based cloud deployments, with the entire code of the platform available to any member of the open source community?
Perception and reality
In a recent study commissioned by Verizon and conducted by Harvard Business Review, the state of cloud security remained the most commonly cited barrier to increased adoption, with 35 percent of respondents reporting concerns about the safety of their data when using public infrastructure.
At the same time Verizon itself, in its latest Enterprise Cloud Report, highlighted that in the past two years, fewer than five percent of companies had experienced a significant data breach that was directly attributable to a cloud-based service — and that included SaaS applications, often used without any oversight from IT teams.
The fear of the cloud has blinded the industry, leading some of us to ignore a whole generation of security tools and practices which have been developed in the last five years.
Is public cloud really posing a danger to enterprise networks? To settle the matter, DatacenterDynamics engaged two of the world’s largest managed hosting providers: Rackspace and Datapipe. You could argue that public infrastructure is slowly eating their business, but instead of organizing the resistance, both companies now offer managed public cloud services.
With their reputation on the line, the two are also increasingly interested in cloud security, and here they seem to agree: while there’s no such thing as a completely secure public cloud, today public infrastructure is no more dangerous than your own data center.
Joel Friedman, who successfully combines the roles of CTO and chief security officer at Datapipe, told DatacenterDynamics that the weakest link of the information security chain is people – and that doesn’t change if you lease your infrastructure from public cloud providers.
“I don’t think there’s really any doubt that instance security can be achieved – otherwise nobody would have computers on the Internet. I don’t think there’s really much of a doubt about physical security – I’ve never heard of any heist against a well-known public cloud provider.
“Governance is an issue, and there are toolsets, but it’s not really indicative of a risk to a provider itself, just about technology. So then it comes down to the platform. If you were to look back at any of the breaches that have occurred in the public cloud, I would say that it’s not due to lack of inherent security controls in the platform, but due to the way that the end-user or their organization has configured the platform.
“Someone published their encryption keys to GitHub. Someone didn’t have multi-factor authentication enabled, and [their adversaries] were able to phish or keystroke-log their way in. The platform had capabilities to protect them, but the end-user never configured those properly. So therefore, it’s about education, it’s about implementation, but it’s not about the underlying platform.”
According to Friedman, adopting public cloud services could protect your data from the watchful eyes of various intelligence agencies, more effectively than some of the measures designed in-house.
“The tools are available. Both Microsoft and AWS offer key management functionality, which allows you to bring your own keys and encrypt [data] so the service provider doesn’t have access to the underlying data set. It’s encrypted, and the customer maintains the key,” Friedman explained.
“Is it technically feasible that they could backdoor their code? I suppose, but I don’t think anyone is legitimately concerned about that. I think a lot of this has to do with perceived risk, for those that don’t understand the platform.”
Re-education
Brian Kelly, chief security officer at Rackspace, expressed similar views at a recent meeting with press and analysts in London. Kelly – who spent the past 30 years managing security for customers including the US government and the mayor of New York - admitted that today’s cloud security architectures felt rooted in yesterday’s technology.
“One of the real challenges that we have in the cloud industry is to really change the perception that you can be, and should expect to be, safer in the cloud,” he said.
“Cloud providers need to take responsibility for giving consumers a greater understanding of what’s available. We owe them much greater control and transparency. Some of this lack of trust in the cloud is due to the fact they don’t really see what’s going on.
“We give payment card clients reports on compliance. I want to know what’s happening with my workload. The easiest thing for me to do would be to have a dashboard which displays the compliance state of my workload, and use that to make judgements about whether I need to worry about that today. I think cloud providers need to recognize that we have the obligation to drive that conversation.
“We’ve got to change the relationship from a cloud vendor to a cloud partner, and start to have deeper conversations, and take on things. I think we’ve got to work more closely with customers about what their options are.”
The question of the validity of public cloud for mission-critical workloads is not going away. According to IBM, GigaOm and a number of analysts, hybrid cloud is now the dominant method of deploying infrastructure, and will remain so for years to come.
Support for AWS, recently announced by VMware, seemingly represented the final truce between internal IT (mostly running on vSphere) and the public cloud (dominated by Amazon). Both companies admitted that in order to sucesfully build hybrid architectures, two different industries would have to share their secrets and cooperate.
Hybrid deployments can be complex to build and maintain, but they will save money and resources - and if you pay attention, they will not make your data any less secure. You just have to have the right tools - remember BYOD issues that were solved by the advent of a new category of Enterprise Mobility Management software?
The mission of security professionals remains the same, as always: protect your ‘crown jewels’, invest in the best tools and staff you can find, and hope for the best. And maybe, just maybe, outsource the public cloud shenanigans to someone else.
This story originally appeared in the November issue of DCD magazine.