The commoditization of technology has reached its pinnacle with the advent of the recent paradigm of Cloud Computing. Infosys Cloud Computing blog is a platform to exchange thoughts, ideas and opinions with Infosys experts on Cloud Computing

« Multi-Cloud strategy - Considerations for Cloud Transformation Partners | Main

Public Cloud Security- is it still a concern for enterprises?

Author: Jitendra Jain, Senior Technology Architect (Architecture & Design Group, Infosys)

Introduction

Cloud computing has become integral part of IT modernization in any large to small scale enterprises. It has been considered as a major milestone in the transformational journey. Cloud computing changes the way enterprises store the data, share the data and access the data for services, products and applications. Public cloud is the most widely adopted model of cloud computing. Public cloud as the same suggest available to public over the internet and easily accessible via web channel in a free mode or pay as you go mode. Gmail, O365, Dropbox are some of the popular examples of public cloud.

Public cloud provided services eliminates extra investment in infrastructure as all the required hardware, platform architecture and core operating software services is entirely owned, managed and efficiently maintained by the cloud hosting vendor.

As per mcafee research almost 76% of enterprises have adopted minimum 1 public cloud service provider, it could be any kind of cloud offerings (SaaS, IaaS, or PaaS). It shows popularity of public cloud. 


Security challenges with public cloud

By and By utilization of public cloud model is significantly increasing hence infinite amount of data is moving into the cloud inevitably leads the risk of data security and protection. Security still remains one of the top most concerns for any organizations. Across the world security breaches, data center breaches, security threats, hijacking, malicious attacks are the top headlines of print or digital or social media. Organizations are regularly raising security concerns for public cloud. One of the recent example of security breach is Equifax's data breach in 2017. Equifax announced a cyber-crime identity theft event potentially impacting approximately 143 million U.S. consumers. Due to these security issues enterprise leaders & CIOs are still reluctant and not ready to move their applications,workloads and services into the public cloud.

The challenge not only resides in securing the cloud but also in verifying the security policies, security specific technologies and to find a way to control it. In most of the cases it has been observed that user was the culprit and responsible instead of cloud provider as user fails to manage and follow proper security polices and provided guidelines by the public cloud provider.

In a public cloud model security is provided by 3rd party cloud service providers or vendors hence consumers i.e. organization need to be extremely careful and vigilant for required level of privacy and security based on the data or workloads they are hosting on public cloud. User confidential or sensitive data like SSN, PHI, PII and CVV can't be shared to 3rd party cloud provider. However information like product catalogs, media content, static data or any other type of non critical data can be moved to public cloud. There are some major security threats listed below while using public cloud platform. 

SecThrtss.png

Core objectives of an enterprise when moving workload to cloud 

Any organization when moving to cloud or in process to migrate their workloads on cloud platform, have four fundamental common goals i.e. data security, compliance, cost and scalability. If they get the assurance of all of them, they can quickly move ahead not otherwise. 

CoreObj2.png

Public cloud: major myth v/s ground reality (explore the truth)

  • Myth: In a Public cloud world multiple customers do share same network due to its multi tenant cloud environment nature hence they can easily attack on each other and hack their critical data.
  • Reality:  In reality it is not an easy job to hack or attack by another subscriber due to strong and secure hypervisor layer where the core separation among different subscriber takes place. Public cloud provider also provides other preventive options to avoid multi-tenancy related issues hence organizations should understand the ground reality before they take any decision. 

 

  • Myth: In a Public cloud world maintaining security is a highly cumbersome task. It requires additional skill-set and more resources which may add up significant cost in overall program. 
  • Reality:  In reality it is not at all a complex task due to latest security architecture models and various provisions offered by top cloud vendors (e.g. AWS, Azure, GCP, Oracle). It is not more than just doing a basic application level of configuration in the latest world of 2018. Any resource can maintain and control if after some training. Cloud providers do share extensive training  and knowledge artifacts to overcome the said problem.  

 

  • Myth: In a Public cloud world 100% onus for security assurance would be on cloud vendor. Subscribers has no role in it other than consumption of cloud resources. 
  • Reality: In reality it is not true because  cloud provider shares the well-defined contracts in terms of API's, Services along with appropriate access control mechanism for end users or subscribers to follow it but in most of the cases subscribers fail to follow it. Secure accounts and credentials related sensitive information is being stolen. Hence finally security assurance is a core responsibility of each and every employee of the organization who subscribed it. SSO, MFA, Encryption and other security mechanism has to follow religiously in an organization to secure data and environment. 
Public cloud security current state

  • As per rightscale 2017 survey, public cloud still holds 41% of total workloads in overall workloads category which is more than private cloud 38% workload. Even in Enterprise workload category public cloud (32%) is chasing private cloud (43%).
  • Currently public cloud seems more secure and robust option in most of the cases.
  • Enterprises are keen to put their non-sensitive data on public cloud with extra security measures.
  • In 2000-2010 Public cloud started with major security issues but if you look at current scenarios (2017-2018) they have genuinely addressed by all the major Public cloud providers (AWS, GCP, Azure, Oracle, SFDC etc.). However unauthorized access incidents are also growing rapidly.
  • Public cloud provides less planned downtime than the on premise solutions.   

Concluding remarks...

As a matter of fact public cloud security is still a well-known bottleneck for cloud adoptions. Some enterprises are not able to avail cloud computing benefits due to security concerns. But even after all of the issues cloud adoption rate is constantly increasing, that shows most of the enterprises are geared up and ready for cloud transformation. Some preventive measures can be positively taken by organizations for security assurance. List below

  • Choosing a right vendor, choose based on business model
  • Educating own employees, they should also feel accountable  
  • Hire the right talent to use cloud environment, good training can certainly help
  • Follow proper cloud governance across the organization, setup a solid process 
  • Enforcing strict access control policies, do track it closely 
  • Real time monitoring of applications and data for security vulnerabilities, take action against defaulters 
  • Alerting , Auditing and Monitoring of networks, services, APIs
  • Deployment of additional security software to protect data and applications
  • Apply cognitive AI techniques for security protection, it adds automation culture 
  • Do not put sensitive data on cloud ( e.g. PHI data, SSN#, Health records, defense info, CVV etc.) 
Final message from author
Public cloud still seems to be a better and secure option if chosen carefully based on above suggestions. In current digital computing arena enterprises can not ignore its importance hence sooner or later everyone has to adopt public cloud environment so better to start exploring right model at the earliest


Post a comment

(If you haven't left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won't appear on the entry. Thanks for waiting.)

Please key in the two words you see in the box to validate your identity as an authentic user and reduce spam.

Subscribe to this blog's feed

+1 and Like Infosys Cloud



Follow us on

Reimagining the Future of IT Infrastructure

Infosys on Twitter