How Secure is the Cloud

How Secure is the Cloud

How Secure is the Cloud

Cloud threats should be a top priority for cloud service providers to their clients (cloud migrants and newbies).

There is a perception that once your IT infrastructure is moved to the cloud, your data is at risk. The cloud platform is software virtualization of physical hardware. It allows the virtual platform to achieve a degree of granularity that would be uneconomical or prohibitively expensive in a physical environment. Placing IT infrastructure in the cloud is far more secure than keeping it on-premise.

In my honest opinion cloud service providers should be able to address the cloud adopters’ concerns – data breaches, data loss, hijacks, insecure APIs, malicious threats, etc – and make efforts to control these risks as low as possible. As indicated in one of my articles, ‘Cloud Migration Benefits‘, security is much easier and cheaper to manage in the cloud.

 Security concerns associated with the cloud falls into two(2) categories;

  1. The cloud provider, and
  2. The client (cloud migrant/newbie)

The responsibility is shared. The provider must ensure that the infrastructure is secured, and the customer ensures that the data and applications are secure.

For the benefit of this discourse, we are focusing on the cloud providers responsibilities, as we are attempting to show that all the perception of the on-premise infrastructure being more secure is false, and the advantages of the cloud due to the architecture and the advances in technology make the platform far more secure and more economical.

 The first layer of the cloud platform is the Data Center where the cloud infrastructure resides.

This is the physical layer of security. A tier-III certified data center adheres to very strict processes and procedures that contribute to the security of the platform that resides within. It is also a pre-requisite that the site is isolated and non-descript such that only authorized personnel is aware of the site and its function. There should also be a buffer zone around the site. The data center has no windows and the building is designed to be bomb and blast-proof. The data center utilities have redundancy installed. Since the data center is purposed built, it will meet the criteria for the data center design, much better than the on-premise data center/server room.

Within the data center, there are rooms that are segregated and lockable. Within these rooms, there are racks that are also segregated and lockable as well. Within this is the cloud infrastructure enclosed. Access to the room does not automatically mean access to the rack and in turn to the cloud infrastructure. Also being a shared services platform, there is a degree of anonymity. In an on-premise installation, there is only one customer whose infrastructure is easily identified which makes the environment less secure.

 The data center generally has at least ten levels of security from the main gate to the inner gate before getting to the data center entrance. There is also biometric access. There is a segregation of responsibility for the outer security to the inner security. There is also 24-hour notice required for access, and there is a protocol observed that ensured that only vetted and pre-authorized personnel can get access.There is digital surveillance covering the entire site. There is a retention of a minimum of a year for the CCTV footage so that all access is monitored and recorded. It is important to know that the human traffic around the data center is restricted to personnel with data center specific business. This is in contrast with the data center/server room installation which could reside amongst other company business, hereby exposing the installation to a big security gap as it is not practical to segregate staff adequately from the on-premise server room.

 The next layer is the Cloud Platform.

There are normally three levels of firewalls; a perimeter firewall, top of rack firewall and a cloud firewall.

This is the point where the network virtualization is implemented. One can think of a functional equivalent of the network hypervisor. The cloud layer firewall reproduces Layer 2 to Layer 7 networking services(e.g switching, routing, fire-walling, load balancing, VPN, access control and QoS) in software. This architecture is more flexible, faster and cheaper to deploy than the physical equivalent. It is also far more agile and able to implement far more secure and complex architecture. The capacity is also elastic and expansion can be achieved on the fly unlike a physical environment which is limited by the device size and capacity, especially if the demand surge is a spike and temporary. It makes an attack like a DDOS insignificant.

 There is an ability to create a third layer of firewall specific to the individual virtual machine. This reduces the surface for threats and attacks. If one virtual machine is compromised due to a breach of the top of the rack firewall, the rest of the virtual machines in this group are protected. This is not achievable in a physical infrastructure without a prohibitive expenditure and an incredibly complex configuration. Yet in this environment, it is agile and dynamic. Advanced security capabilities such as threat prevention and malware protection are available through API-level integration with third-party partners.

 The next layer is the Hypervisor Layer.

This is the abstraction layer. This is where the attributes of the x86 physical server, (e.g CPU, RAM, Disk, and NIC) are reproduced in software. There is data isolation and logical storage isolation. The virtual machine that is created at this level can be created with encryption that makes access to the virtual machine far more secure. Again, the elasticity of capacity growth makes the environment more stable to the impact of spikes and surges in demand. In a physical environment, such an event would cause the platform to crash. This architecture lends itself to a built-in disaster recovery solution. The environment is able to be copied and saved in a recovery site, In the event that disaster recovery is invoked, the environment is moved at the push of a button. It also reduces the RTO – recovery time objective by up to 80%.

The shared service structure allows for agility in the form of the ability to patch the whole environment quickly and a quicker response to threats. There is a greater degree of separation of responsibilities with higher skill set associated with each group. This separation of responsibilities makes an inside breach less likely as it will take several separate groups to collude to create a threat. Whilst within most organisation, there are less granularity and more likely that individuals would be performing multiple roles. This can lead to failures in the system.

 Most importantly, there is a team of highly trained individuals monitoring the environment and resources to ensure there are no breaches or anomalous activities. It is also easier to implement layers of application-specific monitoring.

You can carefully peruse for your cloud IaaS needs.


Leave a Comment

Your email address will not be published. Required fields are marked *