Who's in Charge of Cloud Security, Users or Providers?
One of the most commonly cited obstacles to cloud adoption is security, which itself is an extension of the perceived loss of control over the infrastructure running your applications and storing your data. On the whole, cloud infrastructure is actually more secure than in-house data centers, as providers have dedicated staff, software, and hardware protections in place at a greater level than the majority of on-site facilities.
These protections take the form of many layers of physical security, best practices and documented plans for security responses, industry-leading firewalls, antivirus, antimalware, and monitoring software, and strict access control for users and administrators. But the malleability of the cloud, plus its many forms and applications, means that it is not always clear who should be in charge of securing a cloud deployment.
Do users or cloud providers need to be in charge of security? The answer depends on which part of the cloud stack you’re looking at.
What the Cloud Provider Secures
Your cloud provider delivers you one or many virtual servers, and that means their security responsibility ultimately focuses on the security of that platform. That means the servers, storage, and network running the cloud, plus additional network security, and very limited security at the hypervisor or VM level. At Green House Data, all of these components, plus some supported built-in firewalls, are covered as part of our Hear from a Human service promise. That includes security.
We’ll provide perimeter network security and DDoS, IP spoofing, and port scanning, but only on external networks. Our switches are protected from external attacks, but if a DDoS attack is launched on your public facing application, we are not responsible. We’ll keep the hypervisor platform up-to-date with patches and upgrades. Our own internal systems and clouds that we manage for other customers will always follow security best practices for access management, updates and patches, hypervisor hardening, network scanning, and anti-virus/anti-malware attack monitoring.
With managed cloud security, we can handle many of those tasks for your cloud environment as well.
What the User Secures
The user needs to keep their own applications, operating systems, and data secured. That might mean encrypting data at rest or in transit. Any applications should follow best practices for secure coding, access management, and patching. Users must set up their own update and patch management protocol and stay abreast of current security threats. Keep a strong password requirement and make sure users change them often—access management is key to strong security. That also means restricting which user roles have access to specific systems and data.
Green House Data and other cloud providers can provide log scanning and management, including sending you security logs, but this is often a user responsibility as well. Check who is accessing your applications and files and make sure no malicious activity has taken place.
Beyond securing the applications themselves, you’ll want your own network threat detection platforms and security monitoring tools. Place anti-virus and/or anti-malware software on your server and keep it updated.
If you are breached or shutdown via malware like Ransomware, you’ll also probably want backup and or disaster recovery configured for your applications. If determined to be an acceptable loss of new data, you can roll back to a recent point in time without paying a ransom or fighting to clean up viruses.
Work with your cloud provider to learn what pieces of the cloud platform are secured before you ever push an application into production. Maintaining security is a collaborative effort, and many providers have options to take some of the workload off your team, should you choose. Be sure to read and understand your Service Level Agreement (SLA) and how it may affect compensation as well as your daily workflow from security events or downtime as a result of a breach.