By Chad Whalen, Fortinet
More businesses than ever are moving their business operations – in part or in whole – to the cloud. An IDG Enterprise study found 69 percent of businesses have at least one application or a portion of their computing infrastructure in the cloud as of 2014 and another 18 percent are poised to do so in 2015. The public cloud offers flexibility, scalability, immediacy and in most cases is very affordable for enterprise businesses.
Despite the growing adoption of the cloud and cloud services, persistent concerns remain around network security in the cloud. In a 2014 study, the Cloud Security Alliance found 61 percent of companies see security in the cloud as an executive or board level concern. Indeed, security and compliance rank as the primary inhibitors to full-scale adoption of the public cloud.
How can enterprises mitigate these concerns and take full advantage of all the benefits of the public cloud? Where is security needed and what steps should be taken?
In order to provide the level of security required of large businesses either by practice or regulations (for example in the financial and health care industries), there must be security at all points along the data path: entering or exiting the corporate network, entering or existing the cloud provider and especially within the cloud itself.
Let’s take a look at the steps enterprises should take to achieve a secure public cloud environment.
Thoroughly Vet Cloud Vendors
It’s not enough for organizations to migrate existing applications and data to the cloud and presume that compliance will be achieved. Due diligence is the first step to establishing a secure cloud. Not all cloud providers are created equal; the key is to find the one that is the right fit for your business. Start by researching and comparing providers’ data security procedures. It’s unlikely an infrastructure-as-a-service (IaaS) vendor will be able to furnish all the security solutions a business demands. An enterprise should look for multiple trusted partners to achieve cloud security success.
Starting with the cloud provider, make a thorough assessment of the security offerings included in their service agreement. At a minimum this should include VPN and other access and basic network segmentation, including firewalls.
From there decide if and what other security measures need to be taken to ensure compliance and security. Seek out and evaluate solutions offered by third-party technology partners that build on and complement the cloud provider’s included security measures.
Align Internal Standards and Procedures with Cloud Providers
When a company partners with a cloud provider in an IaaS model, security becomes a shared responsibility. A company now is as reliant on its cloud provider as it is on its in-house IT group to provide security for company applications and data. Internal data and network security has to evolve to be consistent with the cloud provider’s service offerings.
What does that mean?
The enterprise must align their internal security policies to be consistent with cloud service providers as data is moved to the cloud.
- Evaluate and understand any gaps in security between on-premise systems and the cloud environment(s) being used.
- Implement procedures to ensure end users (and administrators) are not creating cloud deployments without approval from the IT department.
- Embrace dev-ops (a collaborative relationship between software developers and the IT department) and rein in shadow IT by integrating cloud resources/applications into the life cycle management process.
- Ensure compliance mandates are not being violated by the movement of regulated data to the cloud.
Use Hardware and Best Practices to Protect Cloud Data
Enterprise cloud solutions are often a hybrid, a mix of private cloud and public cloud environments. For the hybrid cloud, investment in state-of-the-art hardware will add layers of security to the cloud environment. As mentioned previously, security is needed in three places: entering or exiting the corporate network, entering or exiting the cloud provider and within the cloud itself. Let’s look at some of the hardware essentials and best practices for these areas.
For data entering and leaving the network and cloud:
- Next Generation Firewall. As an Internet gateway, a next gen firewall (NGFW) enables visibility and protection against external threats and Internet activity.
- Internal Segmentation Firewall. This type of firewall provides visibility and protection for internal segments inside the access layer.
- Intrusion Prevention System (IPS). Protects networks from both known and unknown threats, blocking attacks that might otherwise take advantage of network vulnerabilities and unpatched systems.
- Application Control. Detects malicious content and abnormal behavior in Web-based applications.
- Content Filtering. Inspects Web traffic and blocks malicious traffic from Web-based threats.
- Virtual Private Network (VPN). Enables the establishment of secure communications and data privacy between the cloud environment, internal servers and endpoint users.
- Security Architecture. Built to enforce separate policies on traffic.
And in the cloud:
- Attempt to match the existing security posture of the enterprise
- When requirements exist that aren’t met by the cloud vendor’s built-in security, maintain an autonomous firewall in addition to using the provided security. With increased cloud adoption, many security vendors have extended their solutions to work in IaaS.
- Leverage virtual security appliances from trusted vendors.
Regularly Update Security Architecture
Regular and routine updates to security architecture are vital with any cloud environment. In many ways, network security is a moving target and necessitates constant vigilance. This function could be performed by the third-party security provider or done in-house within the IT department. If an internal IT is unable to provide these services, consider enlisting a managed security service provider (MSSP) that has expertise in these areas for support.
Make Cloud Fit the Organization
The public cloud is not a one-size-fits-all solution. Every business has its own unique needs, requirements and goals. A transition to the public cloud, or a hybrid cloud solution, entails careful research, planning, execution and regular review for a successful implementation.
Security is paramount to cloud adoption because without proper security surrounding sensitive and/or regulated information, business continuity, financial loss, and company reputation is at stake. The cloud – public, private or hybrid – offers many advantages to businesses of all sizes, but needs to be done in a responsible and thoughtful manner.
Chad Whalen is the vice president of Cloud Security at Fortinet, a provider of high-performance cyber security solutions.