I have said before that I believe IaaS is less easily compromised than on-premise infrastructure but the question remains whether businesses should manage the security of their own data platforms, applications, operating systems and firewalls or opt for a fully managed service.
I would say that the latter option is more secure.
It can seem counterintuitive to hand over the ‘keys to the castle’ to a third party but as IaaS becomes mainstream, this model will become standard.
Here are the benefits I see from managed IaaS security.
Avoiding Confusion over Responsibilities
There is often confusion around exactly who is responsible for information security in the IaaS model. Although we all know that public IaaS providers (e.g. AWS with EC2) are responsible for security of the cloud while the client is responsible for security in the cloud, the boundaries between the two are not always clear. It is in that hazy gap between client and cloud provider collaboration where security problems can happen. For example, all business owners know that securing the endpoints is their duty – that even goes for SaaS of course. Many businesses are well aware that it is also their job to ensure API source code is watertight and that the network is monitored for suspicious activity and vulnerabilities. However, Identity management is a classic area of confusion as responsibility tends to fall somewhere between the client and cloud provider.
With their field experience and need to provide a reliable service, established managed IaaS providers have a clear understanding of what they are responsible for, reducing the risk of breaches through oversight.
Securing the Honey Pot
Cyber criminals go where the money is. For a long time, MacOS users basked in an aura of invincibility which was overhyped because no serious hacker was interested in spending time breaking into anything but a Microsoft Windows operating system.
More recently, Facebook leaked a huge amount of data to shady companies while a serious API flaw in Google+ remained undiscovered. After all, why would anyone spend development time trying to harvest data from a dying social media network?
Where am I going with this? We can be sure that the concerted efforts of cybercriminals are going to be directed at breaking into AWS, Azure, GCP and IBM Cloud – the so-called ‘Big Four’ of the public cloud space. Businesses with unpatched operating systems, shadow IT, weak AIM processes and poor firewall configurations are going to be the low hanging fruit.
With their industry expertise and need to work at scale, managed IaaS providers will continue to develop the tools and processes that can handle the increased threat. Two areas where they will have the clear edge is in the evolution of rules-based security and constant vigilance.
Human error is the common factor behind most security breaches. Therefore, the more the human can be removed from the security process, the better. Fortunately, this is the way the industry is going with rules-based security.
Automatically comparing configurations with standard templates using cloud APIs enables infrastructure to be updated, applications to be deployed and users added in the knowledge that the changes will be detected and the client’s IT support team or security center notified if any rules have been breached.
As an example, if a new user is set up with root access, this would trigger an alert against a ‘principle of least privilege’ rule. Business owners should check which security label benchmarks are used by which managed IaaS provider as part of their research.
How an IaaS provider monitors the cloud or hybrid network for danger is another critical factor to look at. For maximum security, monitoring needs to be both broad and deep.
As well as picking up on unusual network activity and user behavior, monitoring software in a cloud environment will need to shine a light into shadow IT that is costing the business money or putting data at risk. This includes ghost servers, orphan storage and the reactivation of dormant resources.
Whenever new applications and services are deployed, they should be seamlessly added on to the monitoring schedule without human intervention.
A Brave New World
According to Gartner, businesses operating wholly outside of the cloud will be as rare in 2020 as those operating completely offline are today. Rather than hover on the edge, trying to apply legacy security measures to an increasingly sophisticated cloud infrastructure, businesses need to get used to relying upon managed cloud security. Of course, I am not advocating jumping into the IaaS space without plenty of thought and guidance. Not every cloud service provider will be capable of providing a secure environment.
However, the ironic truth is that the best course of action when it comes to security in the cloud is to put your faith in a third party.
Brent Whitfield is CEO of DCG Ltd. DCG provides a host of IT services LA businesses depend upon whether they deploy in-house, cloud or hybrid infrastructure. Brent has been featured in Fast Company, CNBC, Network Computing, Reuters, and Yahoo Business. IT Services provider, https://www.dcgla.com was recognized among the Top 10 Fastest Growing MSPs in North America by MSP mentor. Twitter: @DCGCloud