Security has always been a major concern for the keepers of a company’s data. And that concern remains as companies move an increasing amount of their business to the cloud. But we see an interesting mindset among many cloud-focused companies—thinking that they don’t need to worry as much about security because cloud providers have it covered. This thinking is misguided and potentially dangerous. Yes, cloud providers are laser-focused on security and have gone to great lengths to secure their cloud. But tenants of the cloud still are responsible for securing the environment they create in the cloud. The distinction is critical.
Security vs. secure environment
Think about it this way: With a traditional on-premises data center, a company must not only secure the workings of the servers themselves but also the physical access to those servers—for example, performing background checks on data center workers, stationing security guards at the data center doors and putting in mantraps at the entrances. In a cloud environment, the cloud providers are responsible for security of the cloud, but companies are responsible for security in the cloud.
Pivoting your focus to be secure from the start
The fact is, as companies embrace multiple cloud environments and cloud providers create and release new services at an increasingly rapid pace, security is just as important as it’s always been—except the focus has changed. Now, in addition to securing their applications, companies need to make sure the infrastructure of their cloud environment can take advantage of the thousands of new services cloud providers roll out each year. And the best way to do that is to make that infrastructure “secure from start.”
Keys to become "secure from the start"
The three pillars of security reference architecture
This new security reference architecture has three key pillars that lay out, at a minimum, the things a company needs to securely place workloads in the cloud:
Identity access management: Spell out the roles that are authorized to operate in the environment and what they’re allowed to do.
Logging: Capture and record every API action and network call made in the environment.
Encryption: Activate each of the cloud provider’s key management services to encrypt all data and transactions.
By defining new policies and procedures, configuring to the appropriate framework, identifying the relevant controls and creating a cloud-specific reference architecture, a company will be able to securely, and more quickly, take advantage of cloud providers’ ongoing stream of new services to build robust new capabilities and improve business decisions.
Scanning and monitoring the cloud environment
But the task is still not done. The company also needs to build or acquire the ability to scan and monitor all its cloud environments to identify anomalies and subsequently remediate them to maintain compliance. The frequency of scans will depend on the controls involved and the associated risk. For some, such as public S3 buckets, every 10 minutes is required. For others, such as password policy, a daily scan is generally appropriate. Typically, scans are mainly concerned with ferreting out misconfigurations, which are by far the most common issues detected (and, by and large, are also unintentional). In some cases, a company will enable preventive controls, such as changing security groups.
We hear all the time that the cloud is inherently more secure than a typical company’s own on-premises data centers. That’s true if we’re talking about providers’ protection against access to their servers. But it doesn’t mean the environment a company creates for its presence is automatically just as secure. As companies move more of their workloads to the cloud, and to many different clouds across providers, they need to go beyond the native solutions each cloud provider offers and take a single, common approach that’s applicable to, effective in and independent of all environments. That’s the key to being secure from the start in a multi-cloud environment.