01 August 2016
Our natural instincts for security lead us to hold our secrets closely, and guard them carefully. But those of us who are hesitant to trust the public cloud must also consider the security risks of running on a private cloud.
Everyone knows that security is hard. News of recent hacks emerges frequently. A do-it-yourself cloud strategy might leave your business vulnerable to hackers. Plus, there are important government regulations on the proper handling of certain types of personal, financial or medical information. We must at least ask the question:
How secure is your private cloud?
Are you clinging to your own private servers for reasons of convenience, privacy or security? Are you mindful of the regulations for safely handling personally identifiable information or financial information?
The consequence for getting it wrong for most companies is usually not an FBI investigation, but depending on your industry and product, a security breach could cause lost revenue, lawsuits, loss of brand recognition and negative press. While some companies are able to recover from these because of the nature of their business, you may not be so forgiving if your financial planner has a breach. If your company deals with health care information, student information, credit cards or government contracts, for example, being aware of government regulatory requirements is crucial to your business.
Traditionally, companies have protected proprietary information by hosting their own dedicated hardware systems on premises and by restricting access, which we sometimes refer to as the "Private Cloud" or more accurately as "Enterprise Computing". The problem with having everything on premises is that just because it's your own server doesn't mean that it's secure -- the status quo is rarely secure. These systems can be horribly restricted and trade functionality for security, like old credit card systems, and in the larger framework, they aren't compatible with today's cloud world.
How can you focus on your mission when there are so many threats to protect against and regulations to follow? Making money isn't easy when you also have to run and secure your own servers. Today's new age of cloud computing offers companies a chance to outsource their computing resources to Amazon AWS, Microsoft Azure, Google Cloud, Rackspace and a host of other "public cloud" providers so that they can focus on their core business rather than running a side IT business.
How can you move to the cloud? While newly formed companies may have been "born in the cloud", most established companies are somewhere on a journey to the cloud and find themselves using a mixture of private and public servers. Some worry about security on the public cloud and feel the urge to keep vital information on premises, while others worry about keeping too much on premises because their facilities are not physically secure.
Cloud providers have only one mission: to be a cloud provider. For them, security is a feature that the marketplace requires because of the number and variety of customers that they service. If you do move to the cloud though, then which cloud is right for you?
Private Cloud
In general, the private cloud can't deliver as much functionality as the public cloud. Companies are focused on running their business and don't have the resources to devote to IT like a cloud company does. Being able to recruit and pay for the right staff is a challenge.
As it is, a company running its own IT has systems administrators who are likely overworked, distracted and unqualified to make security architecture decisions regardless of whether they have the time to do so. Even if a company has a staff with the best systems administrators in the world, they have long to-do lists and desks covered with Post-it notes. Since the business is not solely about computer security, how can systems administrators get everything done when there's always some urgent fire to put out?
Along with issues surrounding the data, there are also physical security and hardware issues to contend with. When the CEO takes potential business partners on tours to show off the "secure facilities", older hardware often sits in the backrooms running yesterday's operating systems without today's patches. A single earthquake or flood could wipe out the entire company! The disaster recovery plan may very well be used to prop up someone's chair where the wheel fell off. Regardless of what's in that plan, the backups aren't going to be useful until you have new servers online at another facility, which could take weeks.
Every business has these problems with IT when their mission isn't IT. DIY IT is like a DIY extension on your home. Rather than hire a contractor with the experience and training to build a three-floor structure, if you do everything yourself, there's a pretty good chance the hot tub will come crashing through the floor -- then you have to pay twice for that extension.
Dealing with a cyber attack can be costly if you don't have the right staff, hardware and software to fix the problem. While a cloud provider not only has the resources to react to a cyber attack, they also have the systems to prevent one as well and capabilities that are beyond reach for single players
Distributed Denial of Service attacks (DDOS) are by design difficult to parry at the local level. Rather than diving into the details of TCP/IP, let us draw a simple analogy to illustrate the point. Suppose you run a call center that takes orders for infomercials, but an unknown competitor starts a robo-calling campaign telling thousands of people that they have won the lottery and to call the number for your call center to claim their prize. Suddenly, your call center is swamped with calls from angry, disappointed people. Real customers cannot reach you and sales plummet, but what can you do? If you change your phone number, you will have wasted thousands of marketing dollars. These calls are from too many different people, and there are thousands of numbers to block.
The telephone company is the only one situated to handle this sort of attack. They can trace the calls from everyday people to your number and find out who had made that initial call about the fake prize. Once they know what numbers the hackers are using to call people, the telephone company can halt the attack by immediately cutting off the hacker's phone lines.
Think of the large-scale cloud providers like AWS, Azure and Google as the phone company. They either directly control the Internet routers or hold enough sway with the network providers to react fast. Blocking DDOS attacks is one small part of their normal daily routine.
If you're still convinced that having your own DIY servers is better, consider that over half of attacks come from the inside. While our government was obsessed with keeping the Soviet Union from hacking its systems, insider Edward Snowden was quietly copying files. Chances are that your company already has at least one disenfranchised employee. Anyone with systems administrator level access is also able to delete the log files to cover their tracks. Even if a cloud platform provider had any disenfranchised employees, they probably wouldn't single you out.
And finally, let's admit that computer security is constantly changing. How can a single company afford the resources to design, architect and implement a solution and then have the resources to support and update the system to prevent new attacks?
Is your "private cloud" a real cloud? Unless you're leveraging Mesos, Kubernetes or another cloud technology, a bunch of servers are not a cloud. Setting up a real private cloud will require time and talent. Even the best efforts may fall short. Your gains in security and local performance may be offset by losses in scalability, availability and disaster recovery. Amazon's cloud has a dozen "availability zones". It's hard to compete with cloud providers that are rapidly adding new features.
Public Cloud
Why is the public cloud more secure? It comes down to mission and resources. A cloud provider is dedicated to cloud computing for thousands of clients. Cloud computing IS their business mission, and they have to meet the security requirements for all their customers, not just you.
That means providing proper security for companies with medical information protected by HIPAA laws, government contractors subject to the Federal Information Security Management Act (FISMA), schools subject to the Family Educational Rights and Privacy Act (FERPA), e-commerce companies subject to the Payment Card Industry Security Standards Council's PCI DSS Requirements, large companies subject to Sarbanes-Oxley (SOX), and the list goes on.
These regulations are complicated. Nearly everyone is aware that HIPAA laws govern how medical privacy must be protected, for example, but were you aware that there are similar laws and regulations governing student information, credit card data and government contracts? The public cloud offers security features that have been vetted, verified and proven effective. Key management systems and auditing tools can be used to record every access so that if there's a security breach, the response team can determine what subset of data was affected, in what way and by whom, and most importantly, what subset of customers need to be contacted to prevent a small breach from escalating into big news.
Getting this right is almost impossible for a single business because of the extensive list of government regulations, but cloud providers must conform to these standards so that they can compete -- they have dedicated serious, costly resources to make this happen. Smaller companies have their own mission to make money, and as a result, security often becomes a secondary priority.
The public cloud is better because of the personnel they can afford to hire. They have excellent physical security and Halon fire suppression systems. Customers aren't allowed into their facilities either, but independent auditors inspect the facilities for compliance. You never have to worry about a site going down. If it does, you'll have access to your data moments later because cloud providers have multiple backup sites all over the country.
Is storing data on premises more secure than being encrypted in the cloud? It's counterintuitive, but storing sensitive data on your premises may be less secure than storing it in encrypted form on the cloud.
Today's best encryption algorithms are so strong that breaking a single key requires enormous computing resources and time. Here are the real risks of losing or revealing your encrypted data:
- You kept no backups, and the only copy was lost or damaged.
- Your sensitive information was unavailable when you needed it due to a temporary outage.
- You kept unencrypted copies of the data elsewhere.
- You chose a short password that could be easily guessed, such as a birthday, anniversary or relative's name.
- You accessed your secure information from an insecure device, like a PC with a keystroke logger virus.
- You forgot the key.
- Your key was stolen or misused by someone within your company.
- You were forced to reveal the key by the courts or government agencies.
Storing sensitive data on the cloud guarantees that you have backups and encourages you to think about key management. When you use long keys and cloud storage, your sensitive data will be more secure and available when you need it. Use many keys so there is never "one big secret" and manage them securely so they can never be lost. There are even ways to grant temporary tokens to applications giving only a subset of privileges for a limited time window. If the application never knows any secrets, it can never lose them!
Still wondering if the public cloud is secure enough for your data? Even the CIA is using Amazon's cloud. Does your need to protect your secret sauce with eleven herbs and spices trump national security?
Hybrid Cloud
Sometimes this is just a euphemism for the ugly fact that established companies cannot instantaneously move all their systems to the public cloud. A true hybrid cloud solution must use cloud technologies like Kubernetes or Mesos to manage an internal "cloud" of servers -- without cloud technology though, it's not a cloud.
The attraction of the hybrid cloud is that we can keep most data on the public cloud or use the public cloud for bursty scaling needs, while our most sensitive data is stored on private servers. To some degree, that makes sense unless you consider the serious downside of an attack surface area. Military minds have long known that fighting a war on multiple fronts simultaneously is a recipe for disaster. Can you really afford to hire the brightest security staff AND outsource your infrastructure to the cloud providers?
This approach facilitates cloud thinking and "containerization" of applications, which paves the way for being able to choose among different cloud platform providers for those able to afford it. Choosing a cloud provider that supports the same cloud-enabling technology will minimize the cost of running on two clouds. One reasonable approach is to run small-scale and deprecated systems internally and public-facing services on the cloud for scaling.
Conclusion
The public cloud offers better security and far surpasses the scalability and availability of most private clouds or enterprise server farms. I'm hoping that I've challenged some of your assumptions about cloud security and that you consider taking a second look at using the public cloud for most of your corporate needs.
A public cloud solution is better in every way:
- Personnel: Cloud platform providers can afford to hire top security experts and dedicate them to the single task of cloud security.
- Physical Security: Cloud platform providers have dedicated facilities and never offer to take customers on "tours" due to security concerns.
- Availability: What good is your secure solution if it's down? Cloud providers are online 24x7x365.
- Disaster Recovery: Backups are built into the architecture, and cloud providers have facilities spanning multiple "availability zones". A properly designed cloud solution can recover from a major disaster almost instantaneously.
- Governance Compliance: Cloud providers are well versed in government regulations and able to ensure that the servers, networking and routing are compliant with the appropriate regulations. Plus, they offer vetted services, such as key management and access control systems, that your application can use to meet your internal security requirements
- Auditing: Audit logs record not only who accessed what data, but also who changed the rules. Cloud providers offer virtually unlimited log file storage on separate servers that can be recorded by your application, but never altered, and can be configured to grant read access without allowing anyone to edit the logs to cover their tracks.
- Controls: User Identification and Authentication, Security Groups and Access Roles are provided as part of a unified system that operate outside the reach of a given program or local server.
- Distributed Denial of Service Attacks: Cloud platform providers control the key routers and firewalls necessary to address DDOS attacks. By the time the attack hits your router, it's too late because the pipe is already saturated. Cloud providers handle these attacks daily.