My name is Reto Bollinger, information security officer at Nine Internet Solutions AG, and I would like to tell you about the security benefits of the public cloud. But first let me say this:
«There is no cloud, it's just someone else's computer»
No, I don’t have a split personality. Despite the statement above, I’m here to tell you that there are a number of benefits, but also things to consider when it comes to the public cloud. In this first part, we’ll look at some basic points to think of.
What to consider regarding security in the public cloud
You have to be aware that it is, in fact, someone else's computer you are using
You definitely need to make sure to always maintain sovereignty over the data!
There is always a residual risk when computing your data on someone else's machine, even when using encryption: data is unencrypted at computation and can be accessed at that moment (by the host, as they control the machine, but also by another guest on the same machine by exploiting vulnerabilities)*
Once you have this in mind, you can decide whether you want to trust this setup or not. But there is more to that equation. Depending on your requirements, you have to ask yourself if this setup is more or less secure than the alternative of self-hosting, such as on-premise and/or on a private cloud.
But keep in mind that there are specialists at each level of the stack. You have to ask yourself if you cover all the necessary knowledge to handle this all on your own. If not, you better let the specialists do their job.
*but there are already ways to fight this, see homomorphic encryption
A way to look at security in the public cloud: the C.I.A. perspective
If we look at it from the classic C.I.A. (confidentiality, integrity, availability) perspective, for each of these aspects there are a few points (list is by no means conclusive) to think about:
The important question to ask here is: how good are you on all levels (full stack)? To answer this, certain aspects have to be checked: physical access restriction, logical access restriction (identity management), setting up your system securely, keeping your system up-to-date ([emergency] patching, etc.), secure disposal of media, etc. For example, you have more control over the trustworthiness of your own employees. But they also know more about what data is hosted where and what data is valuable. Additionally, an attacker also has a higher chance of physically locating the data on a self-hosted infrastructure than in the data centers of a public cloud provider, where your data is potentially also migrated every now and then between machines (ideally without you noticing it).
The biggest risk I see here are human errors, caused by manual interaction. So the key question is: how automated (and tested!) are your processes? Every manual interaction is a source of error and therefore a risk for data corruption. Fully automated processes have to be tested thoroughly before being deployed. This means a lot of effort is needed to properly address just the aspect of trying to avoid human errors by increasing the level of automation. But there is also more to integrity: for example, your software’s "behavioural change" through updates/upgrades, or simply the risk of physically altered data (improper media or even bit flipping at the lowest level, if you want to go very low-level)
How many "nines" can you provide with your infrastructure? How fast can you restore your backups? Do you even have backups? Have you ever tried to restore? You don't have a testing environment? How well are you protected against (D)DoS attacks? If you’re unsure about even one of these questions, that's probably not the best starting position.
On the other hand, it’s also very important to check the availability of service providers. A smaller provider could go bust, be acquired, become unavailable or disappear for any other reason. That risk is potentially smaller with a bigger player. On the other hand, a monopolist could dictate conditions that are not in line with your business.
But, Reto, isn’t privacy also a vital part in this discussion around public cloud security?
Yes, it is. But I’ve decided that it is so important that it deserves its own blog post, so I will cover this in the second part of the article.
You would like to know more about the public cloud or similar topics?