“Is cloud secure?” Seriously, why are you asking this? Ask: is MY USE of cloud computing secure? Or, if you want to be a bit fancy, you can add “… secure enough for my purposes?”
Do ask “is my provider doing a good job with security?”, BUT realize that it is NOT the most important question. What your provider does is important, but what you – your organization – do it even more so! Applying this to my main theme this quarter – cloud security monitoring – will make you realize that asking your provider “do you monitor for security issues?” is most definitely not the same as you actually doing such monitoring. The table below explains why:
Table 1. Enterprise Lens vs Cloud Provider Lens
|Enterprise lens||Provider lens|
|Keep their cloud resources secure
Comply with regulations relevant to the customer
|Keep cloud infrastructure secure
Keep customer resources secure (to the degree sufficient to keep a customer)
Offer security services to customers (as an additional revenue stream)
Comply with regulations relevant to the provider
See what I mean here? Your cloud provider – even if SUPER-diligent with security monitoring, logging, log analysis, netflow, etc – may not even have a chance to perform security monitoring YOU need. Think of application monitoring on IaaS or detailed usage pattern analysis for SaaS – these are not something the provider typically WILL or even CAN do. “What they monitor for” and “what you monitor for” might overlap slightly, or not so slightly, but they are unlikely to be the same!
Moreover, for some threat factors the situation turns dire: think of a malicious CSP system administrator (or a malware-infected one: if you just trust all CSP personnel … after all “they run The Cloud” ). The cloud customer cannot monitor his/her actions directly (not with our level of cloud platform development today), while cloud provider monitoring “lens” might not focus on some of his actions that a cloud customer would really care about …
You can get the best control attestation framework, you can even do continuous control assessment, but unless somebody monitors for such activities and their consequences, the security gap is still there.
What to do?
A telling analogy here is that of a bank finding a new location for a branch. If the bank rents a building from the landlord, the building must include the vault. But the vault – a secure CSP – is not all that is needed, the bank also needs an alarm system. Is one available for rent from the landlord? Can the bank install their own? Can they contract with somebody for alarm services? Upon getting a triple “No” answer to these questions, the bank has no choice but to look elsewhere.
Sorry to not give you the silver bullet here – the answer is still the same: build/buy/partner + use it.
(By the way, WTFC stands for “What the Top Factors Concerning it are?”)
Previous cloud security posts are:
- Cloud Security Monitoring: IaaS Conundrum
- Cloud Security Monitoring for IaaS, PaaS, SaaS
- More On Security Monitoring of Public Cloud Assets
- Cloud Security Monitoring!
- Many Faces of Application Security Monitoring (briefly touches on cloud applications)
- Cloud IS Different: So Monitoring Must Be Different?