Managing security in the cloud

How public and private sector organisations are achieving highly scalable, highly secure cloud computing environments

For many organisations, the prospect of migrating some or all of their IT infrastructure to the cloud is becoming increasingly attractive, with key benefits including cost savings, scalability and more time to focus on the services and applications important to customers.

However, some adopters still have lingering questions about security in the cloud, preventing them from fully embracing all the benefits which it has to offer. The common thinking is that if an organisation owns a datacenter, manages the equipment inside and employs the people who run the machines, then the organisation has positive control of its data and is, by default, safe from data leakage. However, we have seen time and time again that the cloud offers improved security and governance when compared to many government agencies or enterprise owned and run datacenters.

Here’s why: control. In the cloud, CIOs can determine exactly what is running, when it ran, how long it ran and what base machine image it originated from. Many CIOs worry about the rogue server under a developer’s desk running something unauthorised or potentially destructive. In a traditional IT environment, it is really difficult for CIOs to know how many orphan servers like this exist. In the cloud, a CIO or his/her designee, can make a single API call at any time and see every system, every virtual machine and every instance.

While the cloud can provide a higher level of control, security as a whole is a shared responsibility between the customer and the cloud provider. Cloud providers can be very secure. However if a customer launches an unpatched or vulnerable application in the cloud, they run the risk of compromise. Additionally, you can have the most secure application in the world, but if it is on an infrastructure that is vulnerable, then you are vulnerable as well.

Since security is a shared responsibility, it is important to understand who owns the security at each level. Is it the user or the provider? Cloud infrastructure services like AWS offer an extremely flexible computing environment, providing organisations with a significant amount of control over their security. If approached correctly, government agencies and enterprises can improve their security posture through the use of a technology infrastructure provider.

Governments and enterprises are recognising that cloud computing enables organisations to offload the heavy lifting of managing servers and datacenters. This means not only is the security of the physical infrastructure management passed on to the cloud provider, but also the security and the technology that enables virtualisation across multiple operating systems.

The infrastructure provider should be an absolute expert at building large datacenters with redundant systems. This requires the provider to secure numerous datacenters spread across the country, if not the world. Looking at the physical security, this means the provider is responsible for managing guards, fences, gates and cameras and ensuring each meet stringent guidelines. The security of the thousands and thousands of servers, switches, load balancers and virtual machines in those data centers is another matter entirely. That is why heavily regulated organisations rely on the validation that comes from certifications and accreditations provided by third party auditors.

Certification and accreditation is certainly not a new process for some. Technology infrastructure providers must achieve certifications and third-party reviews that help government organisations and companies meet well-understood security criteria. The most widely respected and applicable of these certifications is ISO-27001. Technology infrastructure providers should also undergo SOC I Type II audits to ensure they are complying with their own internal policies.

The reliance on auditors to certify the security of a technology infrastructure removes yet another burden from Chief Information Security Officers. Since the CISO does not have to spend time conducting audits of his or her own physical data centers, they can focus resources on areas where they are needed most – the applications. Cloud providers such as AWS are in business and remain in business due to technological innovations and experience in large scale enterprises.

Consider this analogy. The Air Force doesn’t hire people to construct a factory and build aircraft. They contract experts like Boeing or BAE Systems to build aircraft. These are experts that have been building aircraft for years and who have done so by hiring the best and the brightest engineers, builders and architects. The same idea works in cloud computing. Why should organisations take on the burden of building large scale data centers and create infrastructure when there are already experts in business providing this service?

Making the move

Change is hard. Moving existing applications in existing data centers into “the cloud” can sound like a daunting task. However there are ways to do this in a relatively painless manner. As organisations with existing legacy applications build migration plans to make their move, many will operate in a hybrid mode as they gain more cloud experience. One of the ways organisations are jumping into the cloud is by building a secure and seamless bridge between its existing IT infrastructure and the cloud.

With AWS, organisations can do this through the Amazon Virtual Private Cloud (Amazon VPC). This service enables organizations to connect their existing infrastructure to a set of isolated compute resources via a Virtual Private Network (VPN) connection, and to extend their existing management capabilities such as security services, firewalls, and intrusion detection systems to include their cloud resources.

Organisations can achieve end-to-end network isolation by utilising their own IP address range, and routing all network traffic between its VPC and datacenter through an industry-standard encrypted IPsec VPN. For those who need the highest level of security they can take their VPC one step further and run Dedicated Instances. This is when hardware is dedicated to a single customer providing physical isolation for all Amazon EC2 compute instances launched into that VPC.

For any cloud provider, security must be its top priority. Most organisations don’t have the luxury of dedicating resources to security, unlike the cloud provider, which should be actively investing in security technology, processes and personnel. Cloud security is achievable at scale, and we look forward to watching organisations continue to innovate on their IT practices and reap the benefits of operating in a secure, highly available and cost-efficient technology environment.

Steve Schmidt is Chief Information Security Officer at Amazon Web Services

Join the CSO newsletter!

Error: Please check your email address.

More about Amazon Web ServicesBAE Systems AustraliaBoeing AustraliaC2etworkISOTechnology

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Steve Schmidt

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts