Security In The Public Cloud - Part 2/2

Security In The Public Cloud - Part 2/2

In the first part of this post, we discussed a couple of important things to think about when it comes to moving into the public cloud. We talked about how you’re using someone else’s computer and the C.I.A perspective (confidentiality, integrity, availability). But there is more to consider. When thinking about big cloud providers, privacy is a very hot topic.

Privacy and legal obligations of public cloud providers

Most of this belongs to the topic of confidentiality and being aware that the public cloud is someone else's computer. But there is one additional aspect which I think has to be taken into account: in specific cases, there are legal constructs/requirements (e.g. CLOUD Act) which require public cloud providers to provide authorities with access to the information stored on their infrastructure.

Even if the provider encrypts your data in transit and at rest, they are encrypted on their infrastructure. Depending on how you interpret these obligations, it can mean that such encryptions will be bypassed/deactivated under certain circumstances even when using your own keys.

Although there are quite a few restrictions regarding the use of these mechanisms, the sheer fact that they exist should not be neglected, since there is a certain risk of abuse. On the other hand, if you really do feel threatened by those regulations, you should already know what you're doing, and therefore invest a lot in protecting your data already, even if stored on-premise.

On premise - the holy grail? 

Lastly, if you really fall into the category of people to worry about these kinds of things, a very determined and purposeful attack by a state-level organization would most probably penetrate any of your protective measures. So, is an in-house solution really the holy grail?

Also, a big public cloud player potentially doesn’t have a lot of interest in handling those legal requests since this would tie up very valuable resources on their side. This means that they most probably ensure provable privacy in the first place, and without providing any backdoors.

Conclusion

You would rather not go to the public cloud

  • If you have very strict privacy requirements
  • If you (or your customers) feel threatened by certain mechanism, e.g. the CLOUD Act
  • If you feel threatened by the existence of the mechanisms needed to conform to the CLOUD Act
  • If you are paranoid (But can you do better yourself?) 

     

You (definitely) want to go to the public cloud

  • If you require high availability

  • If you do not have the expertise on all levels to provide the required security level for your infrastructure

  • If you want to save cost and keep or increase the level of security


In short: if you are not able to perfectly manage the full stack (hardware & software) yourself, you either want to have it managed or you need to gain the expertise. In the first case, you ideally opt for the public cloud. In the second case, you need consulting for building your private cloud/on-premise solution. Whatever you choose, Nine can provide you with what you need!

 

You would like to know more about the public cloud or similar topics?  
Subscribe here: 

Subscribe to the nine blog now



Reto Bollinger

Reto is Information Security Officer at Nine