The public cloud is part of your network. But it's also not part of your network. That can make security tricky, and sometimes become a nightmare.
The cloud represents resources that your business rents. Computational resources, like CPU and memory; infrastructure resources, like Internet bandwidth and Internal networks; storage resources; and management platforms, like the tools needed to provision and configure services.
Whether it's Amazon Web Services, Microsoft Azure or Google Cloud Platform, it's like an empty apartment that you rent for a year. You start out with empty space, put in there whatever you want and use it however you want. (See Security Spending Increasing, Along With Data Breaches.)
Is a seasonal rental apartment your home? That’s a big question, especially when it comes to security.
By the way, let's focus on platform-as-a-service (PaaS) and infrastructure-as-a-service (IaaS), where your business has a great deal of control over how the resource is used -- like an empty rental apartment.
We are not talking about software-as-a-service (SaaS), like Office 365 or Salesforce.com; that's where you show up, pay your bill and use the resources as configured. That’s more like a hotel room: you sleep there, but you can’t change the furniture. Security is almost entirely the responsibility of the hotel; your security responsibility is to ensure that you don’t lose your key, and to refuse to open the door for strangers. The SaaS equivalent: Protect your user accounts and passwords, and ensure users only have the least necessary access privileges.
Why PaaS/IaaS are part of your network
As Peter Parker knows, Spider Man's great powers require great responsibility.
That's true in the enterprise data center -- and it's true in PaaS/IaaS networks. The customer is responsible for provisioning servers, storage and virtual machines. Not only that, but the customer also is responsible for creating connections between the cloud service and other resources, such as an enterprise data center -- in a hybrid cloud architecture -- and other cloud providers -- in a multi-cloud architecture.
The cloud provider sets terms for use of the PaaS/IaaS, and allows inbound and outbound connections. There are service level guarantees for availability of the cloud, and of servers that the cloud provider owns. Otherwise, everything is on the enterprise. Think of the PaaS/IaaS cloud as being a remote data center that the enterprise rents, but where you can't physically visit and see your rented servers and infrastructure.
Why PaaS/IaaS are not part of your network
In short, except for the few areas that the cloud provider handles -- availability, cabling, power supplies, connections to carrier networks, physical security -- you own it. That means installing patches and fixes. That means instrumenting servers and virtual machines.
That means protecting them with software-based firewalls. That means doing backups, whether using the cloud provider's value-added services or someone else. That means anti-malware.
That's not to minimize the factors the cloud provider does for you. Power and cooling are a big deal. So are racks and cabling. So is that physical security, and having 24x7 on-site staffing in the event of hardware failures.
Also, there's click-of-a-button ability to provision and spool up new servers to handle demand, and then shut them back again when not needed. Cloud providers can also provide firewall services, communications encryption, and of course, consulting on security.
The word elastic is often used for cloud services; that's what makes the cloud much more agile than an on-premise data center, or renting an equipment cage in a colocation center. It's like renting an apartment where if you need a couple extra bedrooms for a few months, you can upsize.
For many businesses, that's huge.
But again, with great power comes great responsibility.
You've got to secure and test your resources, just like it's your job to make sure the doors and windows are locked on a rental apartment, and make sure you engage an alarm service and video surveillance if you want that level of protection. It doesn't come with the apartment -- or with the cloud.
To get an example of the sorts of responsibility that you have for securing PaaS and IaaS, and where the service provider takes responsibility, there are documents from AWS, GCP and Azure. Consider those a starting point -- not a full comprehensive list.
In short: The PaaS/IaaS cloud is part of your network.
Sure, know your cloud provider's service level agreements, but ultimately, it's your responsibility to protect, your applications, your data, your customers, and your intellectual property. The cloud might move the money from CapEx to OpEx, but assume that security is 100% your responsibility. After all, it's your data, and your business that's at risk if there's a breach.
To do otherwise would be a major, major mistake.
— Alan Zeichick is principal analyst at Camden Associates, a technology consultancy in Phoenix, Arizona, specializing in enterprise networking, cybersecurity, and software development. Follow him @zeichick.