Common Misunderstandings regarding Security and Cloud Compute

by [Published on 27 Aug. 2015 / Last Updated on 27 Aug. 2015]

Security is a concerning factor when computing in the cloud and rightfully so, however there are some misconceptions regarding security threats as well. In this article we will try to filter through the unfounded concerns, to help reduce misperceptions so that more focus can be placed on addressing cloud security threats that should be prioritised, ones that are actually real, rather than fretting over fictitious issues.

Introduction

Cloud computing has come a long way. It has become a more mature technology and now a way of computing that many are familiar with and even confident with utilising it more widely than before. Although cloud solutions are permeating more and more businesses, nevertheless confusion surrounding cloud security hinders the comprehensive adoption of cloud. By no means should we become complacent with regards to security in the cloud but we should be knowledgeable enough to understand and differentiate fact from fiction, to make informed cloud decisions based on true concerns rather than on concerns that are no more than mere myth.

We all know the array of business benefits associated with cloud compute, the benefits are such that it seems a no brainer to move to the cloud. However some find it difficult to overcome the security concerns, both real and not, to take the leap and thus not obtaining the complete advantage-set available.

Security remains a focal point, with surveillance and breaches evident presently and in the future. This does not help to develop organisation confidence; security is even more of urgency.

Hopefully through clarifying the real security risks and disregarding the misperceptions, the route to a more comprehensive cloud compute may become clearer, security can be more effectively managed and provider choice made simpler to attain.

Cloud Misconceptions: What’s real and what’s not?

  1. Public Cloud and security

A very common misconception is that if you have your data in and are serviced by a public cloud, others using that cloud can access your data and you will also be more vulnerable to attack from others utilising the same public cloud.

This is not the correct. You are sharing the cloud resources with others but you are secure within the multitenant environment if the proper measures to segregate data are in place. Precautionary security measures like encryption and access control need to be in place to ensure that a breach is not likely to occur.

It comes down to due diligence and making sure that the provider you choose has the necessary measures and policies in place that will satisfy your security needs.

  1. Applications in the cloud

There is a misconception that traditional software undergoes superior vetting compared with that of cloud applications, making traditional software more secure and reliable. This is not the case.

Cloud applications are continuously monitored, maintained and kept patched and up to date, where as traditional software patching and updates is wholly reliable on the end-user doing this. Within a business the likelihood of this being undertaken daily or even weekly is slim but this is commonplace within a cloud environment of a reputable cloud provider.

The likelihood is that your traditional software is more vulnerable than your applications within the cloud.

Another misconception regarding cloud apps is that they are all equal when it comes to securing them. This should not be the case. Each app is used for a different purpose and thus the app should be secured in a manner best suited to its purpose taking into account the type of data it processes, who is using it and for what it is being used. Each app should be secured independently and comply with a unique and specific security policy.

  1. Outside threats, breaches and the cloud

Many consider the cloud to be more vulnerable to outside threats than an alternate service delivery environment. This is not necessarily true. All environments need to be secured adequately, to secure against these potential threats. Firewalls, vulnerability scanning, network security technologies and encryption should be used but this is not unique to cloud environments but necessary for all environments. If the cloud is properly secured it does not have to be more vulnerable to outside threats or pose any heightened security risk.

  1. Control over data residency

This is a concern. It’s critical to many businesses to have control over where their data resides for legal and other reasons. There is a misconception that if you use the cloud, you will not be able to choose the jurisdiction in which to keep your data. This does not have to be a concern. Many providers do offer global data centre options and you can easily choose where to store your data. Data governance can be addressed as long as you choose wisely and use a provider that can guarantee data accountability.

  1. Data security, not as secure in the cloud compared with secured on enterprise premises

Some businesses question the level of security offered by a cloud vendor. They often incorrectly consider their data to be more secure on their premises behind their own firewalls however this is not always the case.

Cloud vendors place all their efforts and resources into ensuring that their data centres are as secure as can be. They conform to strict compliance standards and access to data is strictly controlled with physical and biometrical parameters. Whereas on premise access to company data, from within the enterprise, is often very relaxed with servers holding critical data usually not secured and access to the data easily achievable by employees hence easily breached, often the result of inside attack.

Cloud vendors offer numerous data centres, backup, disaster recovery and layers of security. Frequently audited to keep security up to date.

The truth is presently that data is likely to be more secure with a reputable cloud vendor than on most businesses own premises. It’s becoming exceedingly difficult for businesses to stay on top of security, patches, upgrades and vulnerabilities with the same tenacity and dedication of a reputable could vendor.

  1. Cloud Certifications and standards

It is incorrect to assume that cloud standards or certifications provide comprehensive security assurance. This assumption is often falsely made.

Certifications alone should not be taken as proof that the provider will fulfil the compliance your business requires. At the end of the day the responsibility to uphold that your security needs are being met and that your data is secure is with you, the consumer. Be sure that you are knowledgeable of the security procedures in place and those offered by the provider and that the security meets your requirements effectively.

  1. Cloud transparency

A misconception is that all providers offer cloud transparency as part and parcel of the cloud offering. Transparency is needed but it is not always available, as many might believe. When selecting a provider make sure that they offer the transparency that you require so that you are able to make informed decisions regarding your compute processes in the cloud.

You have a right to transparency so make sure this is something you are able to achieve.

  1. Allocation of Responsibility

A common misconception is the allocation of responsibility when in comes to security of data. If something goes wrong who is responsible. Many would like to believe that once they’ve selected a provider they can clean their hands of any responsibility however this is not the case. The customer is ultimately responsible for their data and must ensure the security of that data. The reputable provider will do their best to secure their infrastructure but it is up to the customer to make sure this is the case and that the data within the cloud is secure at all times. In the unfortunate event of something going wrong, of course the provider will hold some liability but the customer will also have to answer to any compromise of their data and be held legally responsible.

  1. All clouds are equal?

The cloud is not generic, and all clouds are not alike. This is often a misconception, where businesses consider one cloud to be equal to the next and providers to offer equal services, with the same levels of security and service options.

This is not the case. Reputable providers do offer enhanced security compared with the security many business are able to achieve in-house. However this is not guaranteed from all cloud vendors. Security, reliability, service level agreements will differ from one provider to the next and it is important to ensure due diligence is undertaken to not be disappointed or at risk.

  1. Cloud infrastructure

The misconception that the cloud provider is responsible for managing the data, controlling access and controlling utilisation of the service is common.

The provider must ensure that their infrastructure and application is secure but it is the users obligation to make sure passwords are properly protected, devices correctly managed and secured and data is secured through encryption. Security will always be a shared responsibility between cloud provider and cloud user. It’s important to know your responsibilities to allow for the best possible attainable security.

Conclusion

One of the biggest barriers to cloud adoption, without a doubt, is security. Yet cloud security continues to evolve as confidence grows and the adoption of cloud technologies expands across the globe.

Ensure that your data is protected, apply the appropriate level of access control and encryption to ensure that your data is protected at rest and when transmitted.

It’s safe to suggest that majority of businesses will not be able to come anywhere close to handing security better than a large cloud provider with the uninterrupted resources, dedication and the expertise necessary.

Cloud tends to be a great security advancement for many businesses, of all sizes. Yes, security risk is present however the risk is present if we choose not to compute in the cloud as well. What is important is to be knowledgeable of the actual security risks so that we can place focus where required and are able to manage our security appropriately.

In order to achieve this we must maintain a clear understanding of the real cloud threats and disregard the myths and eradicate the misperceptions.

See Also


The Author — Ricky M. & Monique L. Magalhaes

Ricky M. & Monique L. Magalhaes avatar

Ricky M Magalhaes is an International Information Security architect, working with a myriad of high profile organizations. Monique is an international security researcher, she holds a BSc Degree (Cum Laude). Previously she has focussed on research and development at leading enterprises in the Southern hemisphere.