Topics in this article
The COVID-19 pandemic moved countless workloads to the cloud as employees shifted to remote work. As more organizations continue to engage managed service providers (MSPs) for hybrid cloud transformations, they need to be aware of multiple variables. Along with cost, cloud security is top of mind for most organizations considering a managed cloud solution.
Cloud security is top of mind
The most notable security breach of recent memory happened this April when hackers breached Colonial Pipeline through a VPN account which employees used to remotely access the company’s network. According to Bloomberg, the VPN did not have multifactor authentication, and because of the hack, Colonial Pipeline shut down the entirety of their 29,000-mile fuel pipeline – leading to a fuel shortage, longer lines at gas stations, and higher gas prices. Ultimately, Colonial Pipeline paid the hackers a USD 4.4 million ransom after they stole 100 gigabytes of company data.
Despite significant savings in infrastructure costs and improved operational flexibility, security is the single biggest barrier for companies wanting to implement a cloud solution. And according to our 2021 Global Threat Intelligence report, in the last year, there were significant increases in attacks for the following industries:
- Manufacturing increased from 7% to 22%
- Healthcare increased from 7% to 17%
- Finance increased from 15% to 23%
However, although attacks are increasing, security methods are improving and the confidence in cloud providers to protect their customers’ data is rising.
Before we tackle the question – ‘what is cloud security?’ let’s discuss what cloud security is not.
What cloud security is not
First, cloud security is not a one-size-fits-all program or procedure that protects every asset running in a cloud. Second, cloud security is not protecting a single point of attack with a firewall. Computing systems have expanded to incorporate the entire perimeter of a computing landscape; it’s critical that all endpoints accessing the cloud as well as edge computing systems are secure. Lastly, cloud security is not a universal and structured service provided by all companies offering cloud solutions. Because cloud computing typically involves third-party hosting providers, it would be a mistake to think that all third-party providers have the right security processes and procedures to protect your corporate data and systems.
While there are many things cloud security is not, the main point is that protecting your computing assets in a cloud environment, with so many access points, is far more complex than it was just a few years ago. Less than five years ago a solid data center, a good firewall and trusted employees were considered sufficient tools to protect most computing assets. This is not the case anymore.
What cloud security is
While everyone has a different approach to defining cloud security, for our purposes, we’re going to discuss this topic from the standpoint of a third-party provider hosting enterprise systems such as SAP ECC or Oracle’s eBusiness Suite in a private cloud. Perhaps the best place to start is by stating that cloud security is:
A coordinated set of policies, technologies, and other controls designed to protect the data, infrastructure, and applications from a breach. It is also a system that enables and supports regulatory compliance.
This same definition would have applied five years ago, but what separates our computing systems today from five years ago is that now the policies must be different, the technology is different and the controls are different. Attackers are fully aware of these differences, and security systems must constantly evolve as technology advances.
Today, the most advanced data centers hosting private clouds rely on layered technologies to create a durable and flexible net or grid. This layering of security components and software allows components or pieces of software to be inserted at each level of the technology stack, creating multiple points of protection or barriers. The barriers increase the chances that a hacker will be deterred or possibly identified before they get to the data. It also protects the good guys (the system administrators), because even if they make a mistake or overlook something that leaves one layer unprotected, there are still other layers that remain armed and secure.
In a private cloud, the security concerns of multiple clients sharing services and even equipment (called a multi-tenant environment) is typically minimized. Private clouds usually handle the entire computing environment of any single company as a single closed system, including the network, edge computing, and mobile access points. This security could go so far as housing the servers and racks in a separate and secure building. However, a private cloud can still be exceptionally private and secure even if it’s housed in a multitenant system, if it’s physically impossible for any part of the private cloud to touch or integrate with any parts of the other clouds being hosted in the same data center. The main point is that any organization looking at potential hosting services to manage their private cloud should examine how the private cloud is kept private.
In some cases, there is debate as to whether a hosting environment can be considered a private cloud. When evaluating vendors for private cloud computing, it’s important to ask if more than one company’s data is running on the same server.
Traditionally, application components and services that are consolidated onto a single server platform should all be from the same company to maintain the integrity of a private cloud. However, recently there are companies who have created virtualized environments running on a single box that are reported to be as secure as the stand-alone physical server. Intel is one of the companies leading the way in the endeavor. Regardless, if you are considering a hosted private cloud, it is recommended that you find out how the virtualized environments are maintained by any providers under consideration.
If you are looking for a third-party private hosting provider with a strong security posture, one of the main capabilities you will find is their ability to provide data sovereignty. This means you will have complete control (sovereignty) over your data, almost as if the information was hosted in a data center within the physical boundaries of your organization.
You will also have complete functional control of your systems; although you may utilize the technical expertise of your hosting provider to support the daily ‘care and feeding’ of your landscape.
In addition to data sovereignty, there are some other security-related questions you should ask your prospective vendors:
- Does the vendor have any suggestions about how best to utilize your existing technology investments?
- Can the vendor help with architectural design issues as well as system deployment guidance and other best practices for your cloud?
- Is the vendor’s infrastructure scalable and flexible enough to accommodate your needs now and in the future? What happens if you need to ramp up or down?
- Does the provider have 24/7 technical support?
- How does the vendor handle disaster recovery planning?
Click here to learn about our Managed Cloud Services.