When businesses move applications and data to the cloud, they lose control of certain aspects of digitized information. The cloud changes how information is stored and transported between applications and clients, and this loss of control exposes personal and corporate data to threats and vulnerabilities in ways not considered in traditional IT architectures.
Cloud providers offer varying levels of support and control for the IT infrastructure that hosts the applications and data. This encompasses Infrastructure as a Service (IaaS), where the physical hardware is owned, managed, and leased by the service provider, as well as Platform as a Service (PaaS), where the operating systems, database infrastructure, and even Web servers that are managed by the service provider. Finally, one of the most recognized is Software as a Service (SaaS (News - Alert)), where the applications are owned and managed by the service provider and the business only has to provide the data used by the application.
Because control changes as businesses adopt these cloud architectures, policies and security must be adjusted and redesigned to fit the new environment.
Managed services means managed threat exposure
Relinquishing control of different components means you’re also surrendering control and oversight of the associated security policies. If the service provider is managing and supporting the server operating system, then you have to assume the service provider is maintaining the security policies. The system needs to be updated and patched on a regular basis to protect against vulnerabilities and there needs to be regular testing of managed solutions to ensure there are no weaknesses in the products or architecture.
Unfortunately, in today’s ever-changing IT security environment, it’s not enough to expect cloud providers to complete the due diligence necessary to understand and protect all their customers’ applications and data. This means businesses are, ultimately, still responsible for their security.
When applications and data are placed in cloud environments, it usually means that accessing the information requires connectivity to the public Internet. Further adding to the security concerns, information can be exposed to individuals viewing Internet traffic or acting as a man in the middle (MITM). Hackers can easily attack and attempt to compromise applications and data, since the protections that would have been built into a private IT architecture, specific to a business’ IT security requirements, are non-existent or extremely limited.
Assume everyone is a threat
There are three primary actions a business must consider during a move to the cloud to help mitigate threats. All three considerations are equally important, because no matter which vector becomes an avenue to compromise, the application and all its related data becomes exposed and vulnerable.
IT infrastructure must be protected and hardened – This is a combination of the service provider managing the security risks of the components it provides, as well as the business applying additional protections. These extra security measures may include a solution such as a cloud-based DDoS mitigation service.
Applications must be secured – Assume that applications are accessible by malicious parties, and secure them with extra care. Include modern security technologies to provide the maximum protection possible, including a Web application firewall (WAF) solution to deliver enhanced application security in the cloud.
Applications and data should be encrypted end-to-end – Public network infrastructure cannot be trusted, so protect the privacy and integrity of your information. High-performance encryption solutions must be a priority when moving applications and data to the cloud.
To the cloud and beyond
The cloud ensures applications and data are accessible anytime, anywhere, and to any device. But with this convenience, businesses also have an obligation to make sure information is delivered reliably and securely. Leveraging and applying the lessons learned from IT security to cloud architectures will ensure more secure and connected businesses in the future.
Frank Yue is the Director Application Delivery Solutions for Radware (News - Alert). In this role, Yue is responsible for evangelizing technologies and trends around Radware�s ADC solutions and products. He writes blogs, produces solution architectures, and speaks at conferences and events around the world about application networking technologies. Prior to joining Radware, Yue was at F5 Networks (News - Alert), delivering their global messaging for service providers. Yue has also covered deep packet inspection, high performance networking, and security technologies. Yue is a scuba diving instructor and background actor when he is not discussing technology.
Edited by Stefania Viscusi