When the tech hype machine kicks into high gear, seasoned IT leaders know the drill: Expect all manner of jargon-laden pitches, misunderstandings, and downright myths to follow. Consider cloud computing as Exhibits A through Z. Cloud had a heck of a run in the hype cycle, and for great reason: It’s nothing short of a significant shift in IT.
Cloud is now well past hype at this point, of course, and living comfortably in the mainstream. But that doesn’t mean it left all the myths back on shore, especially when it comes to security, especially public cloud security.
[ How can automation improve your security strategy? Get lessons learned from your peers in our comprehensive resource, Automation: The IT leader's guide. ]
We figured it was high time to revisit some of the big, lingering misunderstandings around public cloud security – some of which certainly extend to private or hybrid cloud environments, too, not to mention IT security in general.
We asked several cloud security experts to help us rewrite the myths as realities. Here’s what they had to say.
Myth 1: Public cloud is inherently insecure
Let’s dispense with this one quickly, shall we? This is a phase of actual cloud history that has since been mythologized. Does public cloud have different considerations than a traditional datacenter? Sure thing. Does that mean public cloud is automatically less secure? No.
“When public cloud was new, there were valid concerns as the technology was unproven, but this is no longer the case,” says Laurence Pitt, global security strategy director at Juniper Networks. “Modern cloud computing started in the 1990s, meaning providers have many years of experience providing data and application access, ensuring rights management, strong governance, and systems monitoring.”
Of course, not all providers are equal – more on that in a moment. But Pitt uncloaks the great prevailing cloud boogeyman here: That public cloud is in and of itself a massive security threat.
Reality: Public cloud security is often better than your old on-premises security
In fact, for some companies, leveraging the size and scale of some cloud vendors might actually be a part of a more efficient overall security strategy, especially if they’re strapped for budget or simply, like so many IT leaders, having a difficult time finding the right cybersecurity skills for their teams.
As Red Hat technology evangelist Gordon Haff recently noted, you're likely worrying too much about security process at that public cloud provider. "The nature of public clouds is that they approach security using specialized staff, automated processes, and discipline (which is not to say that enterprises don’t, but it’s by no means a given)," he writes. (See the full article: Public cloud security: Follow the Goldilocks principle.)
Myth 2: There’s a single thing called "public cloud"
Ask George Gerchow, CSO at Sumo Logic, for his prevailing public cloud myths, and he’ll give you one – by pointing out that the topic is too broad.
“This question needs to be broken down further to differentiate single tenant versus multi-tenant versus managed service in a public cloud,” Gerchow says.
Indeed, we tend to lump together a whole bunch of stuff – from software to infrastructure to development platforms, basically anything you can attach the ubiquitous “as-a-Service” (-aaS) acronym too – under a giant umbrella of “public cloud.”
For one company, “public cloud” might mean multiple infrastructure environments spread across multiple vendors, integrated with private cloud and/or on-premises infrastructure as part of a robust hybrid cloud portfolio. For another company, “public cloud” might simply mean they use Google Apps or Office 365.
This leads to generalizations about public cloud security that tend to be off-target.
Gerchow, for example, sees a key misunderstanding when digging into more specific categories of public cloud: “There is a huge misconception that single-tenant cloud deployments are more secure than multi-tenant,” he says.
Reality: Public cloud types, and their security considerations, can vary significantly.
Gerchow’s point is well-taken: It’s a mistake to think of public cloud security as a homogeneous issue.
It would similarly be a mistake to view all public cloud environments as one and the same from a security standpoint. You must draw distinctions between the specific type of cloud environment, the data you’re moving there, and so forth as part of any public cloud strategy. Moreover, different organizations have different needs and concerns around security, compliance, governance, SLAs, and more; you know those needs better than anyone.
Again, to think of “public cloud” as some big, leaky environment just waiting to get hacked is to miss the opportunities cloud presents. And these days, it’s a misnomer.
“Public cloud providers spend an inordinate amount of resources on making sure security is initially a core part of the architecture as well as keeping their networks and services hardened,” says Mike Kail, CTO and co-founder and CYBRIC.
In that same vein, IT leaders must understand the environments they're using. You should be digging in to your public cloud providers with the same level of diligence as you would into your own datacenter. (And if, in the latter case, you’re not paying particularly close attention – well, that probably means your whole security profile needs an audit.)
As SAS CISO Brian Wilson told us recently, cloud security in general – and perhaps especially in public clouds – requires a deep understanding of your providers’ capabilities and how those map to your particular needs. (It may be that a multi-cloud strategy will be necessary to meet your various requirements.) In Wilson’s case, for example, any provider who can’t deliver federation with SAML is a non-starter.