3 Levels of Cloud Security Every Business Needs
Cloud security had been a concern since inception. For many business leaders, it was an uncomfortable shift from physically seeing the IT and devices securing your infrastructure to simply trusting they exist virtually. This arch of adoption anxiety is not unique to the cloud and typically coincides with the emergence of disruptive technology before total adoption takes place.
For example, robotics is the latest subject of IT excitement, but also concern. Headlines today suggest they will “take over the world,” but with the technology itself still in development, we may be getting ahead of ourselves! Cloud-based services have been in use for some time and the speed of innovation—along with gradual shifts from legacy systems—has brought enterprises closer to total adoption.
A recent “Enterprise Cloud Computing Survey” from IDG revealed concerns of cloud security are still significant (52%); however, this number is dropping, down 15% from 2015. This is an encouraging sign that cloud is gaining trust as a secure option, but work still needs to be done to build trust. Many organizations, particularly in highly regulated industries such as healthcare and financial services, still harbor significant security concerns.
One of the most tangible ways to look at cloud security is to focus on the various levels of your infrastructure that require protection. If you look at a multi-level infrastructure model, all the way at the bottom of the model is the physical level, followed by the network and then applications. These are the three levels of cloud security every business needs to protect:
1. Physical security: In the past – when businesses were running data centres out of their broom closet – physical security was a significant issue, as these data centres were particularly vulnerable and accessible to anyone within close proximity. Companies recognized this risk and took appropriate steps in safeguarding the physical components of their infrastructure. Cloud was a key player in quelling physical security concerns as it centralized thousands of servers into one location, enabling them to benefit from enhanced security systems. With a provider, physical security concerns can almost completely disappear.
2. Network security: The next level to consider is the network. As an industry, cloud and IT professionals have made strides in securing operating systems and basic networking. Many organizations today have the necessary antivirus tools, firewalls, access control lists and intrusion detection to safeguard against outside attacks. Additionally, the security architecture of today can include deep packet forensics, netflow analysis, network access controls, DDoS and scanners to provide even stronger security. Organizations today can look to a cloud provider to manage nearly every element of protecting the network—from patching to monitoring, and more.
Now that the industry has essentially locked-down physical and network security, we’ve moved our focus up the stack to cloud-based applications.
3. Application security: As the cloud industry has better secured the bottom of the “cloud security funnel,” this has forced potential attackers to target higher up the stack. A trend we’re seeing is hackers tampering with customized applications or impersonating users. While application security continues to challenge the industry, by partnering with cloud security providers like Alert Logic, businesses can implement tools such as application firewalls for added protection. Within the application layer, the emphasis should be on identifying vulnerabilities, log management, AV, patch management, mail/web filters, scanners and back-up. In today's dangerous digital world, security-aware application design, dynamic and static application security testing, and runtime application self-protection – combined with active context-aware and adaptive access controls – are needed.
The concept of “inside” or “outside” security is a thing of the past. Across all industries, recognition that perimeter defense is simply not enough, and that applications need to take a more active role in security, gives rise to a new multifaceted approach. Hopefully next year, the percentage of enterprises expressing concern for cloud security will drop even lower as IT personnel continue to innovate and find ways to protect IT infrastructure at every level.
For more information on designing and implementing an enterprise security plan, download this Navisite white paper, 7 Steps to Developing a Cloud Security Plan.