Cloud computing security myths: busted

Porticor/ Article, Gilad Parann-Nissany

In many cases, the average enterprise or SME can’t keep up with all of the security controls necessary to protect data in-house.

In a Feb 2014 survey, 94 percent of organizations surveyed reported running applications or experimenting with infrastructure-as-a-service.[1] According to research firm Nasumi, there is over one exabyte currently stored in the cloud. An exabyte is over a billion GB.[2] Considering the amount of data in the cloud and the growing rate of adoption for sensitive use cases, it is natural that securing our data in the cloud is a concern. But, cloud security, though rightfully a central concern, should not be a hindrance to aggressively moving workloads and applications to the cloud. In fact, there are some misconceptions about cloud security that need to be laid to rest.

Myth #1: A cloud provider’s customers can attack each other

The multi-tenant environment of cloud computing has given rise to a misconception that the provider’s many customers can access each other’s data and accounts with little effort. This is tantamount to saying that your neighbors can break into your home easier than a thief from across town. The truth is that virtual walls segregate you from other customers. Your hypervisor is the primary separator and is extremely difficult to hack. If you add other safeguards like VLAN isolation and proper data encryption and key management, your data is completely safe from other cloud customers. The Alert Logic State of Cloud Security Report concludes “It’s not that the cloud is inherently secure or insecure. It’s really about the quality of management applied to any IT environment.”


Myth #2: Data in the cloud in more susceptible to risk than data in the datacenter

In survey after survey, we find that the reason that cloud computing isn’t growing even faster than its staggering CAGR is companies’ security fears. But, like many fears, this one mixes legitimate concerns with ignorance. Depending on the details, data in the cloud may actually be safer than data in the datacenter. In fact, a 2014 study found that once businesses learn about and experience cloud computing, concerns about security vanish. Close to one-third of executives and professionals who have not yet implemented cloud say security is their top concern, a number that diminishes to 13 percent of seasoned, heavy users of cloud services (and is only the fifth-ranked concern on their list). [3] Arthur W. Coviello, Jr., Executive Chairman for RSA, puts it simply, “security concerns are really independent of the cloud. They’re just an extension of what is being dealt with in the physical infrastructure.” [4] In many cases, the average enterprise or SME can’t keep up with all of the security controls necessary to protect data in-house. For a cloud provider, conversely, it is a core business function. They typically invest in the strongest forms of network security and detection and attain compliance certifications that reduce the risk for the data they’re tasked to protect. If your core business isn’t preparing tax returns, you hire someone who can do it for you: someone with the right background, experience, and tools. Someone who does a better job than you could do yourself. The same applies when it comes to protecting your data: using a provider who specializes in doing so will create better results than doing it yourself.

The internet is filled with comparisons of the trustworthiness of cloud providers. Those researching a cloud solution are often tasked with ensuring the cloud provider conducts audits, provides certifications, complies with industry regulations, properly screens their employees, etc. While all of these elements have their place in assessing the trustworthiness of a cloud provider, they don’t completely protect your data because it is not just the cloud provider’s responsibility to protect your data. The truth is this: whether you build your own private cloud, store your data in a public cloud, or keep your sensitive business information under your mattress, the duty to protect your data is yours alone.

Myth #3: Using a trusted cloud provider guarantees protection of data

Amazon Web Services (AWS) accounted for 37% of the $9 billion infrastructure as a service (IaaS) market in 2013, according to analysts from equity research firm Evercore. The IaaS market is growing by 45%, but Amazon Web Services has a growth rate of 60%.[5] AWS is currently the biggest public cloud provider. And yet, in the AWS Security Center, they clearly state “AWS has secured the underlying infrastructure and you must secure anything you put on the infrastructure.” Because you control the security of your accounts and data, you can ensure that you still own your data – even though you are housing it in public infrastructure. The way to ensure your data is safe in the cloud is by encryption. Encryption, and the management of encryption keys, is not just about safety, it is also about ownership. If you encrypt properly, you will own your data even though you are renting infrastructure form a cloud provider. To simply and effectively achieve encryption key management, the best practice is coupling the innovative techniques of split key encryption and homomorphic key management. They will be the assurance that no one (not even your cloud provider) can access data you store in the cloud and that everything you store in the cloud is completely safe, segregated, and protected in a way that is scalable, automated, and cost-effective.

Resources

  • http://www.rightscale.com/blog/cloud-industry-insights/cloud-computing-trends-2014-state-cloud-survey
  • https://www.nasuni.com/wp-content/uploads/2013/02/nasuni_infographic_the_state_of_cloud_storage_in_2013-4.jpg
  • http://www.forbes.com/sites/joemckendrick/2014/04/03/cloud-security-fears-diminish-with-experience-survey-shows/
  • http://www.vmware.com/files/pdf/VMware-Cloud-Security-Myths-Strategies-Uncovered-White-Paper.pdf
  • http://www.businessinsider.com/amazon-web-services-market-share-2014-6