Cloud Deployments Carry Security, Regulatory Risks

For most companies, migrating business processes to the cloud offers several benefits. It can reduce overhead, and boost the average worker’s ability to carry out daily tasks. With that said, moving mission-critical services and data to the cloud also comes with some risks, including one that many organizations fail to consider.

When businesses and organizations of any type look to cloud computing, what they’re really talking about is “pooling resources together into one amorphous blob that can be shared across organizations, departments, or customers,” said Johnnie Konstantas, an executive at Juniper.

That pooling of resources allows those organizations to do more with less. However, CIOs and IT pros should understand the risks involved in cloud-based initiatives before signing a contract for services, and that starts with research—lots of research.

Public Cloud

Simply put, organizations must first obtain a baseline from their network, identifying all existing workloads and mapping them to the cloud. This includes existing security layers. Once the base is established, the organization needs to decide whether a public, private, or hybrid cloud solution will fit best with its overall goals.

The chosen option should allow an organization to expand as needed (or shrink, if that’s the case), while maintaining security and efficiency.

Public cloud offerings, such as the ones from Amazon, allow organizations to pay as they go. For smaller operations, the cost benefit of that is almost instantaneous, depending on the provider’s terms.

The main risk associated with the public cloud option is workload segmentation. An organization opting for the public cloud model is placing their data in the hands of a third party. Because of that, the organization needs assurances its workload is separated from that of other customers.

Private Cloud

Private cloud solutions, where computing and storage are deployed within the organization itself, don’t eliminate the concerns usually associated with public clouds.

“When it’s a private cloud, you have similar concerns,” Konstantas explained. “But they tend to be more regulatory in nature. You want to make sure that housing customer data, human resource data, [or] sensitive intellectual property, that you’ve created the proper barriers between these cloud workloads, so that you’re not in danger of violating some sort of regulation, or that you’re not unduly exposing sensitive information to the Internet or to unwanted access.”

The various platforms available for cloud deployments, such as AWS or Azure, should be vetted to ensure they meet the organization’s needs. This includes security assurances (such as isolation), rule-based security that governs continuous VM usage and newly created instances, SLAs, and regular reporting.

“Believe it or not, different service providers vary greatly as to what they offer to you as protections to your cloud,” Konstantas noted. It can go from nothing at all, to a firewall that an organization needs to manage on their own, to something that the provider deploys and manages for customers.

Hybrid Cloud

Once the type of cloud has been selected, organizations should conduct additional research into the types of workloads that will be offloaded to it. The offloaded workloads may require unique layers of security on top of the overall layer of security generally assigned to a digital asset.

For example, customer data should be protected and available only to authorized applications and staff. Picture a workload of customer records and daily transactions. An organization sending that to the cloud needs a layered security approach that ensures protection and regulatory compliance—without hindering access to the data when needed, and without impacting customer experience or internal productivity.

Some organizations navigate through this thicket by opting for a hybrid cloud. They will virtualize a portion of their datacenter, maybe because they want to lower their energy consumption or improve hardware utilization. At the same time, they will move some workloads to a hosted environment, further optimizing productivity and improving user experience by placing the forward-facing applications closer to them online.

The hybrid cloud allows organizations to leverage more processing power and storage as they need it, which is why most experts call it the best of both worlds when talking about the different cloud types.

But the hybrid model also carries risks, including a big one: communication. Organizations that want to deploy a hybrid solution need to ensure a secure tunnel on both endpoints so that the public cloud workloads can communicate with their counterparts in the private cloud.

Securing a hybrid cloud should involve the same layers used in the private and public options, but visibility and access control need to be key considerations. When a new instance is spun up, that instance may not require all the security used in the other parts of the infrastructure, but there should be visibility into what it is doing, along with controls dictating what application or users have access to it, and granular controls placed on the data itself.

Web Apps

Moreover, any Web application used to access data in the cloud must be examined as well. It will need to be secured and optimized to take advantage of the new environment.

“The benefit of new software designed with cloud in mind is that most software developers are, for the most part, aware of the benefits and challenges of cloud environments. Shoehorning legacy software, not to mention legacy security solutions, into cloud environments might cause some organizations to rethink their cloud adoption strategy and give pause to throwing everything into the cloud immediately,” said Andrew Hay, chief evangelist at Cloud Passage.

Application security involves hardening the application against vulnerabilities (such as SQL injection) and business logic flaws, including (in the latter case) ones that would allow a customer to view other customer accounts or manipulate the order process.

The Final Risk

The final unique risk associated with moving to the cloud is one that most organizations never see coming until it’s too late. There are plenty of options in the market for virtualization security, but an organization that deploys too many of these options can lose the benefit of cloud altogether.

In theory, the cloud provides a highly resilient network that can optimize itself for performance, all while making its users’ workday tasks more efficient.

“You don’t want security to come in and take away those benefits,” Konstantas said. “If you have to disable self service, if you have to disable live migration, if your security is so heavy-handed that it slows down traffic or you can’t get as many virtual machines on your virtual machine host, it costs you more. It costs you so much more that you might as well not have gone to the cloud computing model to begin with.”

Thus, cloud usage and security needs to be evened out. The largest risk that organizations face when moving to the cloud isn’t the presence of too little security; sometimes it’s the presence of too much.


Image: caliber_3D/