In this article, we discuss the state of security for the cloud and how cloud systems are secured. We also talk about compliance with regulations and standards, as well as firewalls and other tools, to achieve confidentiality in the cloud, preventing and mitigating DDoS attacks and more.
When a business or any other organization switches to a new computing environment, security is an increasing concern. After all, hackers are costing consumers and businesses between $375 million and $575 million per year. Put another way, cybercrime is equivalent to 0.8 percent of the international GDP.
What about at the level of a single company? According to a Ponemon Institute survey of 2,000 executives, hackers cost U.S.-based businesses an average of $15.4 million annually. That number is twice as much as the worldwide average of $7.7 million – but no matter where your company is, you can expect cybercrime to cost your business millions.
With that in mind, how well protected is a public cloud service? If you cannot say at any given moment where your private data is physically located, should you consider it a safe ecosystem?
A key point is that the cloud should not be considered a radical overhaul but a tweak of conventional legacy computing environments. While this distributed computing model has unique challenges and requires its own set of strategies and defenses, the security industry fundamentally understands how to protect data, and infrastructure experts know how to implement the appropriate mechanisms.
In fact, that aspect of security expertise applied to the cloud indicates a major characteristic of the technology that speaks in its favor: It is a back end that is engineered and maintained by personnel who are focused exclusively on cloud systems. Because of this, New York Times deputy technology editor Quentin Hardy once noted that this hosting model was "probably more secure than conventionally stored data."
Still unconvinced? David Linthicum of InfoWorld has voiced the same perspective, saying that the public cloud is a better place to store data than an on-premise system. Linthicum is fervent in his point of view, arguing that security in the enterprise would improve if IT began to understand how strongly protected the cloud industry is.
Cloud hosting companies have robust security defenses because they know that many people would like to sideline them. They tend to have expertise in systemic precautionary measures, including pattern matching and artificial intelligence.
How cloud systems are secured
Security in a cloud setting is achieved in a similar manner to other computing architectures – with a focus on the specific needs of an agile and dynamic model.
Key steps hosting providers take to secure the cloud include strong enforcement of the perimeters and surveillance – physical barriers including high fences, barbed wire, guards and cameras. These hosts also control access to data systemically, with your workforce, guests and partners separated from mission-critical data. In that context, trained experts apply security mechanisms and practices. Finally, comprehensive auditing of systems occurs at regular intervals.
That last point is particularly important because it gives you a way to tell one cloud host from another. When auditing is performed by independent third-party organizations using recognizable standards, you know that a provider has strong internal protocols and safeguards in place that achieve industrial-grade security management. Let's look at that element before discussing some of the individual components and strengths of a secure cloud environment.
Compliance with regulations and standards
Probably the most common form of third-party compliance or certification that you see in hosting providers and other organizations wanting to win the business of enterprises is the Statement on Standards for Attestation Engagements No. 16 (SSAE 16) – which comes as a SOC 1, SOC 2 or SOC 3 report. This set of guidelines, released by the American Institute of CPAs, basically gives a company a meticulous step-by-step process to check their system and organization controls (SOC).
A cloud provider that has strong enough mechanisms in place to meet the parameters of SSAE 16 will often want to be audited to prove its compliance – even though this standard is not a legal regulation. Note that while SSAE 16 is not necessary to align with data law for your industry, it does show that your ecosystem is robust and conscientiously designed, which is attractive to anyone looking for systems that require their due diligence for regulatory compliance.
Cloud providers actually do have to meet the Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH) if they want to provide systems for organizations that are handling protected health information (PHI). Actually, the Department of Health & Human Services has stated that public cloud can be a compliant setting if the right security mechanisms are in place.
In order to support transactions and processing payments, a cloud provider has to meet the guidelines of PCI compliance. Like SSAE 16, PCI compliance is not a law. However, it does make sense to get this certification as well to ensure you meet stipulations of the Payment Card Industry Data Security Standard (PCI DSS) – standards developed and enforced by the major credit card companies. These third-party confirmations that strong controls are in place should make you feel confident in a cloud host even when you cannot "see" the machine that holds your data.
Firewalls and other tools
A centerpiece of security for a network, whether legacy or cloud, is the firewall. Firewalls come in hardware and software forms. By setting up a firewall, you can have all traffic entering your network abide by certain rules. Inspection and filtration at that level is what gives the boundaries of your network real meaning. A key concern with the firewall is that it is dynamic: You must be able to change direction as the threat landscape evolves. That is why having security experts on the clock at a cloud host can be so valuable.
Other components in place to safeguard systems in a cloud data center include solutions to prevent intrusion, block malware, monitor integrity and log all activity. These tools come from entities such as Trend Micro, through its suite Deep Security.
Achieving confidentiality in the cloud
Within a cloud, a managed firewall appliance makes sure that your information remains private. Firewalls block access as necessary, log activity for review by security pros and possibly shift rules to better protect the system.
Beyond the firewall's work to control access, you also want the data itself to be encrypted, whether in storage or in motion. Through cryptography, you can hide the details of highly sensitive data so it is unusable by anyone who does not have the private key.
Preventing and mitigating DDoS attacks
Distributed denial of service (DDoS) attacks are on the rise. Various mega-attacks from the IoT botnet army created through the Mirai software, open-sourced last fall, drove hacking headlines, but that is just the glossiest of the news. According to Data Center Dynamics, the average cost of a minute of IT downtime is $7,900, amounting to a loss of $474,000 for an hour offline. These costs for downtime are a major reason why a DDoS event costs the typical business more than $2.5 million.
DDoS attacks involve a flood of junk requests aimed at a target to attempt to push that system off the internet. To protect your applications and sensitive data against DDoS, it helps to have an infrastructure spread out geographically. Seamlessly shifting the flow of traffic to a redundant data center is simple for a cloud provider with multiple ones that are widely distributed geographically.
Through edge protection, you can maintain redundancy throughout your network via integration from numerous providers, giving you multiple options for traffic so that the impact of a DDoS attack is confined. Edge protection additionally reduces risk by masking your server's IP address and location.
Keeping pace with astronomical growth
The cloud is now growing an incredible seven times faster than the rest of IT, with businesses of all sizes and across all industries using it to build their businesses. More mission-critical data is now shifting to these systems. Companies typically make these transitions because they want to benefit from cost-effectiveness, speed and flexibility gains. However, these firms are also showing that they are becoming less concerned about the issue of security.
The reason people are becoming more confident in these distributed architectures is that they understand cloud service providers have skills and knowledge on staff that extends beyond the IT protective capabilities most companies have in-house, especially firms outside the technology sector.
The importance of proper management
Professional management is a major part of what makes the cloud or any other IT environment secure. A strong service provider will be able to deploy solutions that meet a company's cost and agility needs while also expertly protecting your data.
If you need managed cloud hosting, by leveraging a strong provider, you can take advantage of security features such as intrusion-detection systems, custom-built firewalls and comprehensive anti-malware protection to achieve ongoing data safety.