Cloud Security: Whose responsibility is it?

Organizations in India are going through a transitional phase and Indian businesses today are embracing cloud. Most organizations are trying to determine how their traditional on-premises infrastructure will work when they start leveraging cloud resources.

The public cloud services market in India is projected to grow 38% in 2017 to total USD 1.81 billion, according to Gartner. In fact, most cloud vendors see India as a key market. Till early last year, most key cloud vendors did not have datacenters in India. However, today for both Microsoft Azure and Amazon Web Services, the story has changed. In a recent survey by Vanson Bourne, we found out that 85% of Indian respondents reported that they trust public cloud more than they did five years ago. 77% of those surveyed in India also felt confident that their organization’s move to the public cloud was secure.

However, security is a totally different ball game in cloud when compared to traditional IT environment. It is very important to carefully analyze the new security requirements for the new cloud environment and not just continue with the same tools as in the traditional IT environment.

Consider a different set of tools

Next-generation firewalls are purpose-built for datacenter architectures (on-premise) where everything is tightly coupled and traffic flows through firewalls that scale vertically. However, public cloud best practices dictate building loosely coupled architectures that scale out horizontally (elastic).

It’s critical to understand the cloud environment that your applications will be deployed in, and the native services that the infrastructure-as-a-service (IaaS) provider offers to achieve security control coverage. Then, you can instrument in your required controls that leverage the provider’s deployment best practices.

This doesn’t necessarily mean bringing in legacy datacenter architectures and tools, which tend to be ‘anti-patterns’ in the cloud. Perimeter-based firewall architectures are highly effective in a datacenter, for example, but can become sources of friction when deployed in the public cloud.

Instead you should think through the actual security controls you need to cover and use tools that leverage the agility and elasticity of cloud infrastructure — both technically and commercially.

A cloud generation firewall needs to be tightly integrated into the IaaS management fabric. It must support a license-less commercial model that enables automated deployments that don’t incur licensing costs unless they actually see production traffic.

Confusion about security responsibilities

As we move further into the cloud generation, there’s still confusion about security responsibilities. We’re heading in the right direction, but we still see a lot of organizations that are just getting started in the cloud, so it’s still an important part of the discussion.

All the major cloud providers clearly state the security controls that customers inherit with their platforms; however, when customers move applications to the cloud — the responsibility of securing those applications falls on the customer.

In fact, the Vanson Bourne survey revealed some interesting data related to the shared security model. The majority of the survey respondents believe that public cloud providers are responsible for securing customer data and applications in the cloud, which proves that there’s still a lack of clarity around the subject. It would be beneficial for any organization running workloads in the cloud to have a conversation about security.

Handy hints

Look for third parties that support a wide range of ecosystems with the same or similar solutions. Organizations often end up with multiple cloud providers, as well as having an on-premises (legacy) infrastructure. This can have implications on complexity and overall costs; it's further compounded when third-party solutions such as security are added to the mix.

Consider third parties that offer equivalent licensing options to how you’re licensing your public cloud infrastructure. As organizations weigh licensing options – by usage, per hour, unlimited, etc – we see customers beginning to understand how they can leverage different ones to gain greater cost controls. This becomes more important when third-party vendors are added to the mix.

Finally, look for vendors who can provide a common management scheme – either in their products or using public cloud security infrastructures – to simplify managing and monitoring ongoing security. Companies deploying the most common security routine – routing branch locations' traffic through a central security solution – generally find these solutions lack scale and cost benefits as their cloud leverage increases. Those that look at distributed security solutions closer to the point of access, such as next-generation firewalls and web application firewalls, reduce those issues but find new ones in managing multiple devices.

The author is a senior sales engineer for Australia and New Zealand at Barracuda Networks 

Adidas