When the discussion turns to the use of public cloud, statements are often made that the cloud is not secure. According to the National Institute of Standards and Technologies, public cloud is an “infrastructure [that] is provisioned for open use by the general public. It may be owned, managed, and operated by a business, academic, or government organization, or some combination of them. It exists on the premises of the cloud provider.”
While enterprises often do not question the security of their private clouds, the level of security concerns seems to rise when it comes to public clouds.
Why is that?
Traditionally, large public cloud providers have been very secretive about their security measures – not responding to client’s requests for information, and definitely not allowing their clients to audit their environments to understand whether appropriate security measures are taken.
The lack of breaches seems to demonstrate that environments are actually quite secure, but the lack of communication has a tendency to leave the situation open for interpretation. Amazon Web Services (AWS) definitely improved its communication when it released the Amazon Web Services: Overview of Security Processes document last June. Google also documented its security approach (although it is still questionable whether it truly addresses the issue in a transparent manner). And Microsoft Azure’s white paper on security, dated August 2010, can be publicly found here.
These documents actually describe the security aspects of the infrastructure on which your applications will run. However, it does not describe the end-to-end security that will protect your application once you expose it to the Internet. Ultimately that is what you need to think about.
Public Cloud Security is a Shared Responsibility
Infrastructure security is more often than not handled by a service provider. In other words, that service provider will ensure your applications and data are fully isolated from other companies on a multi-tenant environment. This ensures that another user of the same service cannot access your applications and data from within the infrastructure environment in which both companies run their applications. But it is your responsibility to ensure an external hacker cannot get into your applications and steal your data. You cannot expect your service provider to take that responsibility if you use IaaS.
How Should I Manage My Public Cloud?
So what do you need to take care of when you develop an application or a service that will run on a public cloud environment?
The Cloud Security Alliance published a document titled “Practices for Secure Development of Cloud Applications.” AWS also developed an interesting document describing the best practices to secure applications that run on their service. Although some of them are quite specific to AWS, it’s interesting to look at these documents and extract best practices.
In a nutshell, the public cloud service provider will ensure your compartment is secure.
This leaves you responsible for ensuring the content of your compartment is not hacked into from the outside. And this is actually not that different of what you do in your datacenter. The difference of course is that you are now operating in a virtual environment rather than a physical one.
Often I keep hearing that OpenSource is not secure. Let me share with you the OpenStack security guide, a very comprehensive document describing how the OpenStack security is set-up. As you will see, it is quite similar to what other service providers are already doing.
Nevertheless, public cloud service providers should be more transparent in the description of their services. The only way you can truly compare the security levels of each of them is using the CSA (Cloud Security Alliance) STAR (Security, Trust and Assurance Registry) submissions. While it doesn’t tell it all, it’s a good starting point.
What do you think?
Let’s continue the conversation. I would love to hear your opinions, stories and experience.
- Christian V