Ensuring Cloud Security

Security protocols and technologies are most effective when considered at the start of architecting enterprise infrastructure or developing business processes, rather than being bolted on as an afterthought. The entire security landscape has changed in recent years and continues to evolve on an almost daily basis. No longer is it sufficient to simply wrap a firewall around your on-premises data center. There are now cloud platforms you must protect, and often multiple public clouds and hybrid cloud setups to safeguard as well.

Corporate data must be protected when it is resident in the cloud, moving among cloud platforms, or in transit between the cloud and on-premises workstations, virtual machines, or mobile devices. “One of biggest differences between traditional and modern networking security is going from physical boxes to a virtual networking situation,” says Myles Brown, Senior Cloud and DevOps Advisor for ExitCertified.

“What you’re actually doing is the same in terms of deploying security solutions and enforcing security protocols,” says Brown. “The major difference is that now it’s a shared security model. Ensuring security is partially the cloud provider’s job and partially your job. You have to figure out where that line is in between what they do and what you do. That’s probably the biggest change in terms of security in the cloud.”

There are other, more tactical security advantages to having an organization’s data and applications hosted in public, private, hybrid, and multi-cloud platforms. Event auditing is vastly improved by virtue of shifting operations to a cloud platform, which can also be a great help to security teams. “Everything that happens is the result of an API call. That means there’s always traceability,” says Brown. “There’s always a nice audit trail of who did what and where and when. In the physical data center world, if someone were to plug something into a server, where’s the record of that? Maybe we caught it on camera, and maybe we didn’t.”

Maintaining regulatory compliance is also important in ensuring comprehensive security. “Compliance is another major issue when adopting a hybrid or multi-cloud,” says Brown. “When it comes to compliance with the private cloud, there are a lot of factors you have to consider, but most of that is actually taken care of in the public cloud. If you’re trying to make it seamless between the public and private cloud, you have to think of it as the same thing running in two places. The access controls and tools, load balancing—all that is the same.”

To mitigate some of the complexity that may arise with managing and monitoring multiple cloud platforms, some organizations are turning to other solutions. “When you get into the multi-cloud, this is where you see third-party tools come in,” says Brown. “You’re learning all these new ways to collect log files and monitor activity. There’s cloud activity, monitoring connections to VMware, and monitoring on-premises activity. We know log files give you a single-pane view. Some are for management, some are for monitoring, and some are for provisioning. There are a lot of hybrid cloud tools, but you should ultimately be looking at all those things the same way.”

There continues to be a shortage of trained and certified security professionals, so opportunities abound. Becoming well-versed in cloud security technologies and protocols is valuable to modern enterprises across the board, and, therefore, also valuable to IT professionals advancing their careers.

• Cloud Security Manager
• Microsoft Azure Security Technologies
• Security Engineering on AWS
• Security in Google Cloud Platform