Currently I am looking into a couple of different cloud platforms for new infrastructure projects. Microsoft Azure is creeping up rather highly on the list.
A few years ago the concepts of “security” and “cloud hosting” were diametrically opposed in many people’s minds. Security is an ironic field of IT in that technology, vulnerabilities and exploits, defense and remediation strategy, etc. all evolve very rapidly (like other areas of IT) but due to being tied in tightly with things like regulatory compliance the ideology and actual implementation of change in this area moves at a snail’s pace.
However IT is largely shifting towards cloud technologies and regulation must shift with it. The major players in the cloud hosting space have recognized a need to address security concerns and have made a concerted effort to do so.
Based on my research I think it is fair to say that when going with a large provider, you can often get better security on the “public” edge of your network than you often get when hosting your own environment. This is particularly true for small-to-medium size businesses who tend to prioritize functionality over security in regards to their network, often due to budgetary constraints related to talent and infrastructure. It can be hard, for example, to justify that new $10k firewall when your analysts are in immediate need of more storage space.
The beauty of the cloud is that often, critical security infrastructure components are there and working as long as you are using the service.
One of the more concerning issues, however, especially when migrating away from traditional in-house infrastructure, is the fact that you may in fact be leaving existing security infrastructure behind for which there is no easy cloud counterpart. Azure is a good case-study on this point.
For example, if you aren’t taking it into consideration, you may not realize that for the sake of availability and ease of access you are leaving your Active Directory authentication and control infrastructure behind. Azure has the ability with Federation technologies to subdue this issue by extending your existing AD infrastructure into the cloud. You will need the expertise, however, to set up those federated services and if you don’t already have that in-house my guess is that it won’t be cheap. You might also be downgrading your access. Perhaps your users need a two-factor controlled VPN to access your current infrastructure from outside of the corporate network… most cloud solutions are single-factor username and password access by default and few offer built-in options for things like RSA tokens. What about logging? Logging and, more specifically, log analysis and alerting exists in some form with most cloud services but the nature of it might look very different from say, the on site SEIM solution you already have in place.
So, external threat protection may go up significantly, particularly at the logical perimeter of your network, but insider threat protection might change significantly.
Then there is the issue of data encryption. Microsoft released a full security guide for Azure that addresses this issue in detail. Many people might be surprised to find out that issues like connection string encryption and total database encryption for SQL instances are difficult to implement or simply not possible.
One area I found very reassuring when analyzing issues related to cloud security was the attention that has been paid to isolating customer environments from one another and protecting from “side” attacks. This doesn’t come as much of a surprise though as the majority of industry focus was split between topics in this security category and those of edge security.
All-in-all, I have been impressed by how far things have come in the last few years as the industry as a whole has made security a huge focus in an effort to make services usable for a wider swathe of customers. While part of the appeal of the cloud is to not have to worry about things like control over your infrastructure so that customers can focus more on service delivery, I believe better administrative visibility and control will need to be offered if the industry wishes to continue expanding into wider segments of the market. In the cases where that kind of visibility and control is, in fact, being offered, better and clearer education needs to be provided up front to decision makers.
Some of the reading that has been incredibly useful for me in all of this is as follows:
Anyhow, I hope my rambling has been helpful. Thoughts welcome!