The public cloud is no different than an on-premises data center. It consists of underlying compute hardware, storage, hypervisors, and networking providing the platform to run an application. And just like your on-premises data center, securing it can be a difficult task. While many security risks exist in both cloud options, the public cloud does present a few new challenges. Understanding these risks can help lead to a secure cloud.
On-Premises and Public Cloud Security Issues
Let's start by taking a look at the similarities in securing both clouds. First of all, each has a perimeter that needs to be locked down. Firewall solutions are the front line of defense of your data. These can be physical as in the case of on-premises or virtual in the public cloud. Used in conjunction with network access control programs such as Aruba ClearPass, firewalls are the gatekeepers to the cloud. Once inside the network, microsegmentation can further lock down the data center.
According to Network World, microsegmentation is defined as "a method of creating secure zones in data centers and cloud deployments that allows companies to isolate workloads from one another and secure them individually. It’s aimed at making network security more granular."
Microsegmentation allows for protection between endpoints and systems inside the perimeter, also known as "east-west" traffic, and not just ingress and egress protection afforded by the firewall.
Securely connecting site-to-site is an important step regardless if it's from one data center to another or from the on-premises data center to the cloud. Legacy technology such as VPN works well for individual workers connecting into your corporate network, but when you're connecting data centers, a more robust solution is necessary. SD-WAN can be implemented to extend secure networking between data centers with high reliability and performance.
Public Cloud Threats
While distributed denial-of-service (DDoS) attacks can affect a physical data center, they provide a twofold problem for public cloud-hosted environments. Access to the control plane of the cloud can be impacted all while the client or employee-facing applications can be impacted. The major cloud providers do have DDoS mitigation procedures in place, but they do not cover your cloud workloads. A DDoS mitigation solution such as CloudFlare should be placed as a barrier between the workloads and the potential bad actors on the Internet.
With just a few keystrokes, a bad actor inside the company can permanently destroy an entire public cloud deployment. To mitigate these threats, all cloud-hosted data should be protected via backup and replication software. Remember, the cloud providers do not guarantee the protection of your data on your systems, the onus is on the customer. Limiting access to various aspects of cloud infrastructure can also protect against purposeful or accidental deletion. Restrict the members of the IT team who have these rights to as few people as possible. Rights can still be granted to build and destroy specific instances, but the administration of the full virtual cloud needs to be locked down. Accessing the account of a cloud administrator by a bad actor can give full control of your cloud with no ability to recover. Multi-factor authentication should be implemented to prevent this from occurring. Automation is another tool that can help prevent the deletion of cloud infrastructure.
While the public cloud is commonplace in the world of IT, so are security threats. The cloud providers maintain the patching and maintenance of the underlying infrastructure, it is on the cloud consumer to guarantee the security of their environment. Hackers continue to hone their craft as technologies evolve, and cloud administrators need to work just as hard to guarantee protection for their business.
