Cloud security is on the top of every CIO's mind. Apparently some people even consider that cloud risks outweigh cloud benefits.
Unfortunately, an overzealous approach to cloud security can lead to arguments that detract from the real issues, with little to no analysis of the specific problems at hand.
Below is a list of cloud security issues that I believe affect large organizations:
- Your existing company probably has separate application, networking and platform teams. The cloud may force a consolidation of these user groups. For example, in many companies the EC2 administrators are application programmers, have access to Security Groups (firewall) and can also spin up and take down virtual servers.
- Corporate environments are usually administered on-premise or through a VPN with two-factor authentication. Strict access controls are usually forgotten for the cloud, allowing administrators to access your cloud's control panel from home and make changes as they see fit. Note further that cloud access keys/accounts may remain available to people who leave or get fired from your company, making home access an even bigger concern...
- Corporation are used to stringent access and audit controls for on-premise services, but maintaining and validating what's happening in the cloud can become a secondary concern. This can lead some companies to lose track of the exact security posture of their cloud environments.
- Specialized tools may not be able to go into the cloud. For example, you may have Network Intrusion Detection appliances sitting in front of on-premise servers, and you will not be able to move such specialized boxes into the cloud. A move to Virtual Appliances may make this less of an issue for future cloud deployments.
- Cross border issues are a big challenge in the cloud. Privacy concerns may forbid certain user data from leaving your country, while foreign legislation may become an unneeded new challenge for your business. For example, a European business running systems on American soil may open themselves up to Patriot Act regulations.
- Who has access to the cloud and what can they do? Can someone spin up an Extra Large machine and install their own software? (LabSlice adds policy management to stop this from happening). How do you backup and restore data? Will you start replicating processes within your company simply because you've got a separate cloud infrastructure? Many companies are simply not familiar enough with the cloud to create the processes necessary for secure cloud operations.
- Any auditing activities that you normally undertake may be complicated if data is in the cloud. A good example is PCI -- Can you actually prove that CC data is always within your control, even if it's hosted outside of your environment somewhere in the cloud ether?
- Do you ever need to mix data between your public and private environments? It can become a challenge to send data between these two environments, and to do so securely. New technologies for cloud impedance matching may help.
- You will likely have central systems monitoring your internal environment and collecting logs from your servers. Will you be able to achieve those same monitoring and log collection activities if you run servers off-premise?
- Some companies run periodic penetration testing activities directly on public infrastructure. Cloud environments may not be as amenable to 'hacking' type activities from taking place on cloud infrastructure that they provide.