Cloud computing is secure. There, I’ve said it. It may sound like an obvious thing to say for someone who works at a company specialising in ensuring a smooth, reliable and secure network, but there are still misconceptions about cloud security.
The exponential growth of data and where to store it is still a concern for a lot of organisations. Putting your information in local storage or cloud-based offerings shifts, but doesn’t necessarily reduce or increase the security risk. In a highly dynamic environment, with services being able to pop up and be removed on demand, it’s going to be a difficult job for any organisation to truly understand exactly where its data lies; “abstraction” after all is the purpose of the cloud.
A good example of how this abstraction affects security can be seen in OpenStack’s Object Storage (Swift). In this case, objects and files are written to multiple disk drives spread throughout servers in the data centre. Should a server or hard drive fail, OpenStack replicates its content from other active nodes to new locations in the cluster. The practical benefit of this architecture is clear to see, but we equally have to be mindful that this layer of abstraction has also abstracted the security from the control of the user.
There is also a concern that cloud providers do not secure their environments to the same standards as a business would secure its own data centre. There are fears over controlling who has access to that data.
But as cloud providers are often an attractive target for attackers (due to the variety of data they could be storing), these companies can and do expend vast resources on security. After all, it is their reputation and even their entire business on the line if something goes wrong.
Either way, using the cloud does not mean settling for less security than you’d get in-house. If fact, it can mean extending your own security out to the cloud environment and adding that to the security offered by the cloud provider.
Sending your data out to the cloud does not take it outside your responsibility. Businesses can and should ensure that any policy they have regarding security in-house is enforced beyond the perimeter of their organisation as well. This means the policies you know and trust are enforced regardless of where they are deployed from, and where the user is located.
Cloud security all comes down to implementing protection in ‘onion layers’. For example, tools are available to encrypt your data before it gets into the cloud and then open access methods like SAML can help control who gains remote access while maintaining control of the user directory. Ensuring your own policies are enforced regardless of where the data is being held provides peace of mind that your business will be safe even when adopting cloud computing.
The cloud is as secure as you make it – and why would you make it any less secure than your on-premise infrastructure? If fact, moving to the cloud can provide your business with agility and flexibility while improving control and access over your applications and data.
Just make sure your security is as elastic as the cloud that you are using.
Martin Walshaw, senior engineer at F5 Networks