Managing security in the cloud
The decision on whether or not to move security to the cloud could be one of the biggest you will make in the near future. Stephen Schmidt, chief information security officer at Amazon Web Services, looks at the decisions, options and opportunities of security in the cloud.
For many organisations, the prospect of migrating some or the entire IT infrastructure to the cloud is becoming increasingly attractive, with key benefits including cost savings, scalability and more time to focus on the services and applications important to customers.
However, some adopters still have lingering questions about security in the cloud, preventing them from fully embracing all of the benefits that it has to offer. The common thinking is that if an organisation owns a data centre, manages the equipment inside and employs the people who run the machines, then the organisation has positive control of its data and is by default, safe from data leakage.
However, we have seen time and time again that the cloud offers improved security and governance when compared to many government or enterprise owned and run data centres. Here's why: control. In the cloud, CIOs can determine exactly what is running, when it ran, how long it ran and what base machine image it originated from.
Many CIOs worry about the rogue server under a developer's desk running something unauthorised or potentially destructive. In a traditional IT environment, it is really difficult for CIOs to know how many orphan servers such as this exist. In the cloud, a CIO or his/her designee, can make a single API call at any time and see every system, every virtual machine and every instance.
While the cloud can provide a higher level of control, security as a whole is a shared responsibility between the customer and the cloud provider. Cloud providers can be very secure, however if a customer launches an unpatched or vulnerable application in the cloud, they run the risk of compromise. Additionally, you can have the most secure application in the world, but if it is on an infrastructure that is vulnerable, then you are vulnerable as well.
Since security is a shared responsibility, it is important to understand who owns the security at each level. Is it the user or the provider? Cloud infrastructure services such as Amazon Web Services (AWS) offer an extremely flexible computing environment, providing organisations with a significant amount of control over their security. If approached correctly, government agencies can improve their security posture through the use of a technology infrastructure provider.
Governments and enterprises are recognising that cloud computing enables organisations to offload the heavy lifting of managing servers and data centres. This means not only is the security of the physical infrastructure management passed on to the cloud provider, but also the security and the technology that enables virtualisation across multiple operating systems.
Certification and accreditation is certainly not a new process for some. Technology infrastructure providers must achieve certifications and third-party reviews that help agencies, government organisations and companies meet well-understood security criteria. The most widely respected and applicable of these certifications is ISO 27001. Technology infrastructure providers should also undergo SAS 70 Type II audits to ensure they are complying with their own internal policies.
The reliance on auditors to certify the security of a technology infrastructure removes yet another burden from CISOs and since the CISO does not have to spend time conducting audits of his or her own physical data centres, they can focus resources on areas where they are needed most – the applications.
Consider this analogy. The Air Force doesn't hire people to construct a factory and build aircraft. They contract experts such as Boeing or BAE Systems to build aircraft. These are experts that have been building aircraft for years and who have done so by hiring the best and the brightest engineers, builders and architects. The same idea works in cloud computing. Why should organisations take on the burden of building large scale data centres and create infrastructure when there are already experts in business providing this service?
Change is hard. Moving existing applications in existing data centres into the cloud can sound like a daunting task. However there are ways to do this in a relatively painless manner. As agencies with existing legacy applications build migration plans to make their move, many will operate in a hybrid mode as they gain more cloud experience.
One of the ways government agencies are jumping into the cloud is by building a secure and seamless bridge between its existing IT infrastructure and the cloud. With AWS, agencies can do this through the Amazon Virtual Private Cloud (Amazon VPC). This service enables organisations to connect their existing infrastructure to a set of isolated compute resources via a virtual private network connection and to extend their existing management capabilities such as security services, firewalls and intrusion detection systems to include their cloud resources.
Organisations can achieve end-to-end network isolation by utilising their own IP address range, and routing all network traffic between its VPC and data centre through an industry-standard encrypted IPsec VPN. For those who need the highest level of security they can take their VPC one step further and run dedicated instances. This is when hardware is dedicated to a single customer providing physical isolation for all Amazon EC2 compute instances launched into that VPC.
For any cloud provider, security must be its top priority. Most organisations don't have the luxury of dedicating resources to security, unlike the cloud provider, which should be actively investing in security technology, processes and personnel. Cloud security is achievable at scale, and we look forward to watching organisations continue to innovate on their IT practices and reap the benefits of operating in a secure, highly available and cost-efficient technology environment.