Organizations that choose to implement infrastructure-as-a-service (IaaS) strategies, be it a public or a hybrid cloud strategy, should be aware of the security challenges that must be addressed to protect their cloud-based operations and business.
Infrastructure cloud computing presents a plethora of challenges that are derived from the company's cloud resources, which are located in shared public data centers and can be accessed remotely over unsecured networks.
Additionally, most cloud providers (e.g. AWS, Google, Rackspace, etc.) work on a “shared responsibility” model, which is where both the cloud provider and business customer must ensure deployments are properly secured. This responsibility lays squarely with business customers who must secure all operating systems and applications used over the cloud provider's infrastructure. While some cloud infrastructure providers have tightened up security, hackers have found new ways to penetrate. Lack of proper security infrastructure safeguards will leave a business' data vulnerable.
While there are many solutions available, not every company has the same security needs. Let's take a closer look at four different stages of cloud security needs.
Security best practice in the cloud
Companies in stage one use IaaS on a relatively low scale in a single data center configuration. Businesses looking to reduce costs and improve efficiency will adopt a cloud strategy that delivers computing infrastructure previously only available to large companies. These companies, however, frequently lack in-house IT security expertise. A solution that packages security best practices (firewall, secure remote access, identity-based access policies, etc.) and delivers it “as a service” is the best fit.
Scale and automate security
Stage two companies are more experienced in the cloud and often have in-house security capabilities. Adopting an external security solution is required because manual configuration cannot scale security at the same pace as the business's cloud computing power scales. Automating security helps in-house teams deal with dynamic and vast cloud usage.
When the number of virtual servers in use fluctuates, companies must be responsive. During high or seasonal peaks, traffic can quickly escalate. When demand spikes occur, servers must be added quickly – without worrying about downtime or hackers exploiting the network. Manual configurations introduce a high propensity for error or cannot deliver at peak times. Automated security scaling can protect a company's network regardless how many virtual servers are used.
For companies with remote workers who need access to cloud servers, provisions must be in place to ensure that identity is verified, the connection is secure, and data-in-motion isn't at risk.
Multi-region, multi-cloud deployments
Stage 3 companies are typically fully cloud-immersed and often deploy in multiple data centers, sometimes on multiple clouds, or they adopt a hybrid scenario. However, securing multi-location environments introduces a new layer of complexity.
For deployments to be effective, resources need to be accessed while data travels through multiple data centers. Concurrently, a certain level of redundancy is needed for backup. In short, companies must ensure a secure path.
It's imperative to implement a security layer that can define and enforce network-wide policies over different infrastructures (firewall, access control, encryption). This enables a company to configure security policies network-wide – regardless of how many data centers or physical locations.
Compliance with Security Regulations
Companies that fall into stage four must adhere to government-mandated compliance; this might include, PCI compliance for credit card information or HIPAA for personal health records. Failure to comply will trigger various civil penalties. To meet full PCI or HIPAA compliance, security requirements will include encryption of data-in-motion, complete access logs for servers holding sensitive data, identity-based access management and control, and file and configuration integrity checks.
From the most basic cloud infrastructure users to the most complex ones – the cloud presents a host of new security challenges.
A crucial facet of any security infrastructure is the ability to scale as the business scales. The right security solution needs to be able to take an organization through the three stages incrementally and without disruption.
A strong IaaS security solution should enable a number of things, including network-wide, policy-based configurations as well as automated security configuration to the cloud infrastructure. In conjunction with this, there should also be strong integration of identity-based management to ensure stronger security and unified behavior across the organization's on-premise and cloud deployments. It's also imperative that a flexible, secure way to connect to the cloud is made available – for individual employees, for remote offices, and for private or enterprise clouds (i.e. such as a hybrid scenario).
Security solutions must help organizations extend beyond the boundaries of a single data center to allow deployments across multiple clouds, data centers, and cloud infrastructures. Finally, the solution needs to have security features to support an organization's level of data sensitivity or regulation.
Clearly while the business market is on steady path to cloud adoption, the road will be rocky. Fortunately, a new wave of security vendors is now surfacing with innovative approaches. Newer, unique approaches should enable companies to build and control their own secure, flexible, and scalable virtual private cloud network over any or over multiple cloud infrastructure platforms and data centers.