Whether 10 years ago or just last week, companies continue to ponder, “is cloud computing secure?” The truth is cloud computing is just as secure, if not more secure, than a traditional server if configured properly. In fact, most security breaches in the cloud are the fault of the customer, not the cloud network. Gartner Research estimates that between now and 2025, 99 percent of cloud security breaches will be the customer’s fault.
With this notion in mind, let’s address several frequently asked questions about cloud security.
There are two factors to security in the cloud:
From the perspective of the physical security of the equipment and infrastructure security, cloud computing is more secure than most traditional servers. Large cloud service providers like Amazon and Microsoft can’t afford their customers to lose trust in their services so they invest a lot of money and resources in protecting it.
For instance, Amazon has invested heavily in its Shared Responsibility Model that clearly outlines the security responsibilities. Things like building security, network firewalls, and other across-the-board security factors are under their control. The biggest risk in cloud computing is on the customer’s side of things, how they’re storing their data.
If you don’t have your cloud systems set up properly, it won’t matter how strong the provider’s security is, your data will still be at risk.
As we’ve already pointed out, the cloud providers have strong security measures in place to protect their networks physically and from wide-ranging attacks. For now, we will set that aside since you can assume it’s in place.
What you need to concern yourself with is the security of your data. This includes things like proper access controls on storage buckets, or functions to ensure they’re not readable by anyone who shouldn’t have access, putting strong security policies in place to minimize exposure and ensuring your staff is following those policies.
If your storage buckets or functions aren’t configured correctly or your employees are doing things that could put them at risk of disclosing sensitive information, it won’t matter how your cloud provider’s back-end security is.
With a traditional on-premise server, a lot of the security work is what the cloud providers are looking after themselves. Firewall configuration, protection against denial of service (DDoS) attacks, physical security, and failover plans are in their hands.
The problem is, many IT departments still think in those terms rather than the unique security aspects of cloud systems. With serverless computing in the cloud, each function needs its own security configuration, inside the code, it is not a simple cut and paste solution when it comes to security.
If you miss an important configuration, it can leave your application and data exposed to the world. Instead of thinking in terms of blocking access to the server, you need to think in terms of allowing access to the specific function.
The biggest security threat to cloud computing is unauthorized access and identity management. Misconfigured storage buckets can leave your data open to people within your company who shouldn’t have access and in the worst case, open to the general public.
There are search engines on the dark web that do nothing but crawl the internet looking for exposed buckets. Anyone with access to those sites can find exposed data.
Information leaks are another common threat. This is less of a cloud computing threat and more of an internal security issue. If one of your employees leaks sensitive information, intentionally or not, it can lead to data breaches if your cloud security isn’t configured properly.
Distributed denial of service (DDoS) attacks are another potential threat. These attacks flood a website or other service with enough traffic to overwhelm the server.
This is one type of attack that is less effective against cloud-based systems though. One of the advantages of the cloud is that your data or web app gets distributed across more than one cloud server, generally in different places throughout the world. If one location is getting hit with a DDoS attack, the cloud provider can route your traffic to another data center.
There’s an adage in network security that says untested systems are unsecured systems. Testing cloud security isn’t that much different than a traditional server – you need to do vulnerability or penetration testing to be sure you’re not overlooking an obvious gap in security.
If your IT department is familiar with how serverless applications are attacked and how cloud-based data can be exposed you can test against those attacks internally. If not, consider outsourcing the work to a pen testing service.
If your in an industry with regulatory requirements for data security, such as HIPAA for patient data privacy, or PCI DSS for payment card data security, how your applications are leveraged in the cloud plays a critical role.
Cloud providers have built their practice around this to ensure companies maintain compliance with the legal requirements. For instance, some regulatory bodies require the data to be stored on servers located within the US or whatever country you’re doing business in, which is why providers have built regional data centers to store data. This is just one of the many examples of many.
As you can see, “is cloud computing secure” isn’t the question you should be asking. The better question is “have we secured our cloud resources well enough?”
Cloud computing is not new and IT staffs by now have sufficient knowledge and experience. However, emerging technologies, like serverless, can lead to unexpected risk if not properly understood.
Protego’s serverless security technology gives you a centralized control panel to manage and monitor your cloud security. We’ll make sure your cloud security is configured properly and make it easy for you to manage on all the major cloud networks including Amazon AWS, Microsoft Azure, and Google Cloud.
Get started for free or request a personal demo of Protego today.