Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Network Security

5/30/2018
09:35 AM
Alan
 Zeichick
Alan Zeichick
Alan Zeichick
50%
50%

Public Cloud, Part of the Network or Not, Remains a Security Concern

Security in the public cloud is like asking who is responsible for securing your rented apartment - you or the building owner?

The public cloud is part of your network. But it's also not part of your network. That can make security tricky, and sometimes become a nightmare.

The cloud represents resources that your business rents. Computational resources, like CPU and memory; infrastructure resources, like Internet bandwidth and Internal networks; storage resources; and management platforms, like the tools needed to provision and configure services.

Whether it's Amazon Web Services, Microsoft Azure or Google Cloud Platform, it's like an empty apartment that you rent for a year. You start out with empty space, put in there whatever you want and use it however you want. (See Security Spending Increasing, Along With Data Breaches.)

Is a seasonal rental apartment your home? That’s a big question, especially when it comes to security.

By the way, let's focus on platform-as-a-service (PaaS) and infrastructure-as-a-service (IaaS), where your business has a great deal of control over how the resource is used -- like an empty rental apartment.

We are not talking about software-as-a-service (SaaS), like Office 365 or Salesforce.com; that's where you show up, pay your bill and use the resources as configured. That’s more like a hotel room: you sleep there, but you can’t change the furniture. Security is almost entirely the responsibility of the hotel; your security responsibility is to ensure that you don’t lose your key, and to refuse to open the door for strangers. The SaaS equivalent: Protect your user accounts and passwords, and ensure users only have the least necessary access privileges.

Why PaaS/IaaS are part of your network
As Peter Parker knows, Spider Man's great powers require great responsibility.

That's true in the enterprise data center -- and it's true in PaaS/IaaS networks. The customer is responsible for provisioning servers, storage and virtual machines. Not only that, but the customer also is responsible for creating connections between the cloud service and other resources, such as an enterprise data center -- in a hybrid cloud architecture -- and other cloud providers -- in a multi-cloud architecture.

The cloud provider sets terms for use of the PaaS/IaaS, and allows inbound and outbound connections. There are service level guarantees for availability of the cloud, and of servers that the cloud provider owns. Otherwise, everything is on the enterprise. Think of the PaaS/IaaS cloud as being a remote data center that the enterprise rents, but where you can't physically visit and see your rented servers and infrastructure.

Why PaaS/IaaS are not part of your network
In short, except for the few areas that the cloud provider handles -- availability, cabling, power supplies, connections to carrier networks, physical security -- you own it. That means installing patches and fixes. That means instrumenting servers and virtual machines.

That means protecting them with software-based firewalls. That means doing backups, whether using the cloud provider's value-added services or someone else. That means anti-malware.

That's not to minimize the factors the cloud provider does for you. Power and cooling are a big deal. So are racks and cabling. So is that physical security, and having 24x7 on-site staffing in the event of hardware failures.


Now entering its fifth year, the 2020 Vision Executive Summit is an exclusive meeting of global CSP executives focused on navigating the disruptive forces at work in telecom today. Join us in Lisbon on December 4-6 to meet with fellow experts as we define the future of next-gen communications and how to make it profitable.

Also, there's click-of-a-button ability to provision and spool up new servers to handle demand, and then shut them back again when not needed. Cloud providers can also provide firewall services, communications encryption, and of course, consulting on security.

The word elastic is often used for cloud services; that's what makes the cloud much more agile than an on-premise data center, or renting an equipment cage in a colocation center. It's like renting an apartment where if you need a couple extra bedrooms for a few months, you can upsize.

For many businesses, that's huge.

But again, with great power comes great responsibility.

You've got to secure and test your resources, just like it's your job to make sure the doors and windows are locked on a rental apartment, and make sure you engage an alarm service and video surveillance if you want that level of protection. It doesn't come with the apartment -- or with the cloud.

To get an example of the sorts of responsibility that you have for securing PaaS and IaaS, and where the service provider takes responsibility, there are documents from AWS, GCP and Azure. Consider those a starting point -- not a full comprehensive list.

In short: The PaaS/IaaS cloud is part of your network.

Sure, know your cloud provider's service level agreements, but ultimately, it's your responsibility to protect, your applications, your data, your customers, and your intellectual property. The cloud might move the money from CapEx to OpEx, but assume that security is 100% your responsibility. After all, it's your data, and your business that's at risk if there's a breach.

To do otherwise would be a major, major mistake.

Related posts:

Alan Zeichick is principal analyst at Camden Associates, a technology consultancy in Phoenix, Arizona, specializing in enterprise networking, cybersecurity, and software development. Follow him @zeichick.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-20001
PUBLISHED: 2020-08-04
An issue was discovered in RICOH Streamline NX Client Tool and RICOH Streamline NX PC Client that allows attackers to escalate local privileges.
CVE-2020-15467
PUBLISHED: 2020-08-04
The administrative interface of Cohesive Networks vns3:vpn appliances before version 4.11.1 is vulnerable to authenticated remote code execution leading to server compromise.
CVE-2020-5615
PUBLISHED: 2020-08-04
Cross-site request forgery (CSRF) vulnerability in [Calendar01] free edition ver1.0.0 and [Calendar02] free edition ver1.0.0 allows remote attackers to hijack the authentication of administrators via unspecified vectors.
CVE-2020-5616
PUBLISHED: 2020-08-04
[Calendar01], [Calendar02], [PKOBO-News01], [PKOBO-vote01], [Telop01], [Gallery01], [CalendarForm01], and [Link01] [Calendar01] free edition ver1.0.0, [Calendar02] free edition ver1.0.0, [PKOBO-News01] free edition ver1.0.3 and earlier, [PKOBO-vote01] free edition ver1.0.1 and earlier, [Telop01] fre...
CVE-2020-5617
PUBLISHED: 2020-08-04
Privilege escalation vulnerability in SKYSEA Client View Ver.12.200.12n to 15.210.05f allows an attacker to obtain unauthorized privileges and modify/obtain sensitive information or perform unintended operations via unspecified vectors.