Copyright – Les Echos – Fabien Rech
Would you give your house keys to a complete stranger when you are on vacation? Probably not. Human instincts opt for a safer solution.
The question of security is the major constraint preventing more widespread adoption of cloud computing technology. A study by Crowd Research Partners revealed that nine out of 10 professionals worry about safety and security. Data breaches remain the biggest concern for businesses that deploy private cloud servers, software cloud servers (Software as a Service, SaaS), or infrastructure cloud products (Infrastructure as a Service, IaaS).
Still, overall spending in cloud services are not suffering as a result, with 80% of all new IT budgets expected to be dedicated to cloud investments in the upcoming year.
In addition to the different specific security solutions that a client can adopt to secure a data center or a cloud solution, one of the major distinguishing characteristics is the fact that cloud providers rely on a shared accountability model that distributes the risks between buyer and seller.
Typically, SaaS providers offer various security levels and application systems while IaaS specialists tend to assign the responsibilities to the client. No public cloud provider today seems to assume full responsibility for user access and data protection, although there are steps that can be taken to support the connection efforts.
Different standards, necessary reflection
Managing a system environment for a secure IaaS resembles the installation and upkeep of a home plumbing system, based on components such as operating systems, networks, virtual machines (VM) and the management of services and containers. The challenge here is trusting the cloud provider so it is able to facilitate maintenance at the systemic level, via bug fixes and updates.
Cloud agencies are also capable of providing an all-inclusive service that includes the virtual server instances necessary to resolve all bugs in real-time. One of the drawbacks of the public cloud is the possibility of forgetting to close certain VMs and containers that had been opened. These so-called “zombie” processes constitute a hidden security threat in most systems.
Today, more and more companies rely on containers to facilitate application deployments and the management of underlying infrastructure design, and they use containers to rapidly deliver new applications both within a physical server and in a VM. However, companies should be aware that this market is not yet mature and the security — even if it is improving — remains one its weak points.
Within the framework of Application Security, which primarily includes the management of identity and access, major financial investment is not necessarily the best course of action. One alternative is the definition and implementation of a policy limiting the ability of users to deploy applications in Cloud IT without checkpoints. Next comes the need to rely on an approach based on employee recognition and identity management. To reduce the risk of identity theft, you should opt for a multi-factor authentication approach that will combine several devices/applications (SMS, email, face recognition, etc.) before allowing a person access to a system.
Employees must also contribute to security, particularly for access to applications that use identity management tools, implying that internal teams have equal use of protocols to access secure information, like LDAP or Active Directory.
For companies that directly activate this type of directory, the adoption of a cloud broker supports a single connection facilitating user access to all cloud services from their local directory. With such a device, the IT team retakes control over direct access on the workstation and ensures greater visibility of users’ own information. Choosing a secure VPN provides the company the assurance of never being exposed to the public internet, closed employee sessions, and sensitive data.
The issue of encryption
What is sure regarding data security in the cloud today is that no supplier is ready to take responsibility. Granted, certain security options, such as the encryption of data, are on offer. But you would be surprised to learn that the data is only partly encrypted or that the option for encryption is simply not offered by some suppliers. All IT professionals should be aware that the AES 256-bit encryption is now considered inadequate.
In terms of encryption, the most important thing for a company is to retain control of the key dedicated to ensure data security. Otherwise, know that the risk of loss and theft does indeed exist. Similarly, data should not be encrypted when used. However, some providers require data to be transmitted in plain text, which also poses a security risk.
It is crucial to understand that the cloud is a technology that cannot be secured in a piecemeal manner. From start to finish, the challenge is in finding solutions that can be integrated within the overall IT environment and not built on afterwards.
Before committing to a cloud contract, companies must ensure certain prerogatives. No matter the chosen provider, the security guarantees must be stipulated in the contact and in the SLA.
The agreement between the supplier and the client must specify what measures will be employed, penalties for the service partner in the case of non-compliance, how non-compliance will be deferred, and how the assessment of non-compliance will operate with respect to contractual conditions. In short, all parties should agree on how to truly guarantee that the cloud’s keys will not be slid under the door, accessible to anyone who passes by.