For many organisations, the prospect of migrating some or all of their IT infrastructure to the cloud is becoming increasingly attractive, with key benefits including cost savings, scalability and more time to focus on the services and applications important to customers.
However, some adopters still have lingering questions about security in the cloud, preventing them from fully embracing all the benefits which it has to offer. The common thinking is that if an organisation owns a datacenter, manages the equipment inside and employs the people who run the machines, then the organisation has positive control of its data and is, by default, safe from data leakage. However, we have seen time and time again that the cloud offers improved security and governance when compared to many government agencies or enterprise owned and run datacenters.
Here’s why: control. In the cloud, CIOs can determine exactly what is running, when it ran, how long it ran and what base machine image it originated from. Many CIOs worry about the rogue server under a developer’s desk running something unauthorised or potentially destructive. In a traditional IT environment, it is really difficult for CIOs to know how many orphan servers like this exist. In the cloud, a CIO or his/her designee, can make a single API call at any time and see every system, every virtual machine and every instance.
While the cloud can provide a higher level of control, security as a whole is a shared responsibility between the customer and the cloud provider. Cloud providers can be very secure. However if a customer launches an unpatched or vulnerable application in the cloud, they run the risk of compromise. Additionally, you can have the most secure application in the world, but if it is on an infrastructure that is vulnerable, then you are vulnerable as well.
Since security is a shared responsibility, it is important to understand who owns the security at each level. Is it the user or the provider? Cloud infrastructure services like AWS offer an extremely flexible computing environment, providing organisations with a significant amount of control over their security. If approached correctly, government agencies and enterprises can improve their security posture through the use of a technology infrastructure provider.
Governments and enterprises are recognising that cloud computing enables organisations to offload the heavy lifting of managing servers and datacenters. This means not only is the security of the physical infrastructure management passed on to the cloud provider, but also the security and the technology that enables virtualisation across multiple operating systems.
The infrastructure provider should be an absolute expert at building large datacenters with redundant systems. This requires the provider to secure numerous datacenters spread across the country, if not the world. Looking at the physical security, this means the provider is responsible for managing guards, fences, gates and cameras and ensuring each meet stringent guidelines. The security of the thousands and thousands of servers, switches, load balancers and virtual machines in those data centers is another matter entirely. That is why heavily regulated organisations rely on the validation that comes from certifications and accreditations provided by third party auditors.
Certification and accreditation is certainly not a new process for some. Technology infrastructure providers must achieve certifications and third-party reviews that help government organisations and companies meet well-understood security criteria. The most widely respected and applicable of these certifications is ISO-27001. Technology infrastructure providers should also undergo SOC I Type II audits to ensure they are complying with their own internal policies.
The reliance on auditors to certify the security of a technology infrastructure removes yet another burden from Chief Information Security Officers. Since the CISO does not have to spend time conducting audits of his or her own physical data centers, they can focus resources on areas where they are needed most – the applications. Cloud providers such as AWS are in business and remain in business due to technological innovations and experience in large scale enterprises.
Consider this analogy. The Air Force doesn’t hire people to construct a factory and build aircraft. They contract experts like Boeing or BAE Systems to build aircraft. These are experts that have been building aircraft for years and who have done so by hiring the best and the brightest engineers, builders and architects. The same idea works in cloud computing. Why should organisations take on the burden of building large scale data centers and create infrastructure when there are already experts in business providing this service?
Making the move
Change is hard. Moving existing applications in existing data centers into “the cloud” can sound like a daunting task. However there are ways to do this in a relatively painless manner. As organisations with existing legacy applications build migration plans to make their move, many will operate in a hybrid mode as they gain more cloud experience. One of the ways organisations are jumping into the cloud is by building a secure and seamless bridge between its existing IT infrastructure and the cloud.
With AWS, organisations can do this through the Amazon Virtual Private Cloud (Amazon VPC). This service enables organizations to connect their existing infrastructure to a set of isolated compute resources via a Virtual Private Network (VPN) connection, and to extend their existing management capabilities such as security services, firewalls, and intrusion detection systems to include their cloud resources.
Organisations can achieve end-to-end network isolation by utilising their own IP address range, and routing all network traffic between its VPC and datacenter through an industry-standard encrypted IPsec VPN. For those who need the highest level of security they can take their VPC one step further and run Dedicated Instances. This is when hardware is dedicated to a single customer providing physical isolation for all Amazon EC2 compute instances launched into that VPC.
For any cloud provider, security must be its top priority. Most organisations don’t have the luxury of dedicating resources to security, unlike the cloud provider, which should be actively investing in security technology, processes and personnel. Cloud security is achievable at scale, and we look forward to watching organisations continue to innovate on their IT practices and reap the benefits of operating in a secure, highly available and cost-efficient technology environment.
Steve Schmidt is Chief Information Security Officer at Amazon Web Services