Companies are moving to the cloud faster than ever, and security remains a top concern.
One of the most common questions we get at Rackspace, where we offer managed cloud and security services, is which entity is responsible for what aspects of cloud security. This is a critical issue to understand, given the impact a breach can have.
To get answers to this and other common security questions, I sat down with Rackspace Managed Security Director of Product Eric Brinkman.
Doesn’t Amazon, Microsoft and Google keep my cloud secure?
Cloud security is comprised of two parts: security of your cloud and security in the cloud. All of the major cloud providers adhere to strict security standards, ensuring that the likelihood of a breach originating from an exploit in your AWS, Azure or Google cloud platform is low.
But security within the cloud is the end user’s responsibility. Companies must ensure they’re meeting their own cloud security responsibilities, including safeguards, permissions and standards for applications, operating systems and other cloud contents. Addressing both security of and in your cloud is what makes up a comprehensive security posture.
Our recommendation: clearly understand where security responsibilities transition from the cloud platform provider to you. This will help you define your organization’s security strategy and execute the necessary actions — either yourself or with the help of a managed security service provider, or MSSP.
Is cloud security more expensive than traditional security?
Every business has to adhere to a cost vs value mandate, and cloud security is no different. But the answer is, it depends. Cloud security should scale with your implementations. Security costs typically scale when you grow environments or if you realize it’s time to improve your security posture by investing in new capabilities. Neither of these things are cloud specific; rather they are business specific. Security can become more expensive in the cloud if a company has to deploy new technology or automation platforms to solve for the inherent scalability of these platforms. Most of the time though, we see companies leveraging existing resources and security costs scale as environments do.
Our recommendation: invest in automating security technology, to ensure mobile devices are secured as well as security technology that works seamlessly across platform.
How do I integrate cloud security with my existing security posture?
Key to integrating new deployments within your existing security posture is understanding the platform you’re working with. Each cloud platform has its own unique access points; knowing what those are and how to properly secure them is important. One common mistake we see is a business thinking it needs a whole new strategy just for cloud security. While there are considerations when moving to the cloud, adhering to multiple strategies often leads to a less secure environment, as confusion and inconsistencies can increase mistakes or attack surface. One way to meet various platform security needs is through tools that work across all cloud platforms. This will make it easier for your security to adapt to new clouds and the various access points they have.
Recommendation: work with a managed security services provider to adopt technology designed to work across all cloud platforms as your business evolves.
Will I need more human resources when moving to the cloud?
Much like the cost question, the answer is you might, but not necessarily. This entirely depends on what resources your organization already has. If it employs a full security team, whether in-house or with MSSP support, that may be sufficient.
On the other hand, if you don’t already have a holistic security posture, you may need more resources. Some companies may need to expand their architect and operations teams to support new environments. MSSPs are great option for these situations, as they already have the necessary staff to help quickly architect, deploy and manage new environments your teams may not have experience with.
Recommendation: understand your risk tolerance. As teams and implementations grow, so does risk. Your resources and staff should be in line with your risk tolerance. A small business may not be able to invest in a fully staffed security operations center, while a Fortune 500 company may not want to. In both cases, an MSSP can help.
Can moving to the cloud complicate our compliance strategy?
The good news is that in some ways, moving to the cloud can make meeting compliance regimes easier. Cloud platforms often include with strict security standards and confirmation of compliance, removing some of the operational burden associated with adhering to compliancy regimes. However, this does not take away the responsibility of ensuring proper controls, access and compliance requirements in your environment and applications. Lastly, it’s important to remember that security does not necessarily equal compliance. Although often overlapping, both should be looked at with any new deployment, not just for cloud.
Recommendation: clearly outline and define the compliance regimes and standard you must adhere to. Understand if any new legislation may be coming for your particular vertical. Once you have that done, all new platforms, applications etc should follow this strategy.”
To wrap up, cloud security should be seen as an adaption of your existing posture. Moving to the cloud might not necessarily mean changes to your security strategy, but it should definitely be reviewed before making the transition. Many organizations understandably prefer to work with an expert partner when doing so; if that’s the case for you, click to learn more about Rackspace’s active security approach.