Well, let’s start by saying it is very secure. But there is always a ‘but’. There are a few things we need to understand and consider when moving our data to the cloud.
From the very beginning, users had issues with trusting the cloud. There were a lot of questions raised. Where is my data? Who can access my data? Is the cloud provider able to access or use my data? To counter these trust issues, the cloud was advertised as a safe and secure environment with better security measures that we can ever achieve in local data centers. And to be fair, most of that is true, but only if we understand how it works. Just by moving data to the cloud, does not mean data is secure once it’s there. There are some steps required by customers to really make it safe.
Security in the cloud operates under a shared responsibility model, where the cloud provider is responsible for some parts and we (the customer) needs to take responsibility for some parts as well. So, let’s discuss who needs to do what with cloud security. In this article, we are going to use Microsoft Azure as an example, but similar things can be said about any other cloud provider.
Security settings, that are always the responsibility the of cloud provider, are the physical data center, physical network and physical hosts.
When it comes to physical security, every data center is covered with guards, video surveillance and other security measures. No-one unauthorized is allowed and multifactor authentication with biometrics is required to enter the building. Inside data centers, we have additional security measures, with everything recorded and monitored 24/7. Such security is rarely achievable by an ordinary customer in thier local environments. Reviews of physical security are conducted periodically for all facilities. This aims to satisfy all security requirements at all times.
To ensure data security, all data is encrypted at rest. After equipment reaches end of life, it is disposed in a secure way with rigorous data and hardware disposal policies.
Physical security of the network is also the responsibility of the cloud provider. Azure network is separated into three layers – core, distribution and access. All three layers use distinct hardware in order to completely separate all layers. Core layer uses datacenter routers, distribution layer uses access routers and L2 aggregation (this layer separates L3 routing from L2 switching), and access layer uses L2 switches. Azure network architecture includes two levels of L2 switches. First level aggregates traffic and second level loops to incorporate redundancy.
This is where things take new turn. Depending on the cloud model we are using, elements of security are our own responsibility. For Infrastructure as a Service, there is more responsibility on the customer side, than with Platform as a Service. And compared to both of these models, Software as a Service has more responsibility on the cloud provider side.
Security settings, that are always customer’s responsibility, are data governance, rights management, endpoints, account and access management.
A third group of security settings (first two groups being always provider’s responsibility and always customer’s responsibility) are identity, directory infrastructure, applications, network and operating system. These settings actually depend on the cloud model that we are using. Now, let’s compare all three models and see who is responsible for what and when.
With Infrastructure as a Service, all settings in the third group are the customer’s responsibility. The customer needs to take care of identity and directory infrastructure. Most of the network controls are the customer’s responsibility. Security regarding operating systems is also the customer’s responsibility. This includes firewalls, security patching, OS hardening etc. With more responsibility comes more control. The customer has the ability to run services and configuration any way they like, but this comes with more security settings they need to take care of and manage over the lifecycle of the deployment.
Platform as a Service takes away some of these controls but responsibility as well. The customer no longer controls OS, patching and everything else is done by cloud provider. Most of the network controls are transferred to cloud provider, along with responsibility for that part. Identity and directory infrastructure are still the customer’s responsibility.
With Software as a Service, all controls from the third group are transferred completely to the cloud provider and customer controls only security settings that are always the responsibility of a customer. It’s important to remember that these security settings (data governance, rights management, endpoints, account and access management) are always the customer’s responsibility, no matter what cloud model is in use.
If we keep all this in mind, and take care of security settings that are our responsibility, the cloud can be very secure place. Even more secure than our on-premises environment. However, we need to decide in which direction we want to go. More flexibility brings more responsibility. The bottom line is, whatever model we choose, some part of security is always our own responsibility and our data is not magically secure just because it’s in the cloud.
Did you like this article? Are you interested in this topic? Would you like to share your knowledge and experience with the authors and other readers? Our #communityrocks group on Facebook is bringing everyone involved together: authors, editors and readers. Join us in sharing knowledge, asking questions and making suggestions. We would like to hear from you!
Join us on Facebook
This article shows how the use of rotating certificates with Azure Key Vault and Azure App Services works. As soon as the SSL certificates are uploaded in Key Vault and set up in the App Services, they can be used automatically in all App Services by renewing them at a single point.
What can be more collaborative than the principle of DevOps? The very word suggests a collaborative relationship between Operations and Developers.