Light Dark
June 27, 2019 By Diana Kightlinger 4 min read
Cloud Security
Security Services

Every enterprise today seems to be moving toward cloud computing, but the term itself can be nebulous. And more critically, is the cloud secure? The answer, decidedly, is that it depends. To gain the advantages of the cloud without succumbing to the risks, a plan for cloud computing security should accompany any migration.

Choose Your Cloud: Public, Private or Hybrid?

Cloud computing refers to the delivery of on-demand computing resources — from applications to data centers — over the internet on a pay-for-use basis. As a result, enterprises gain:

  • A scalable resource to meet changing demands;
  • A pay-as-you-go metered service; and
  • Self-service access to all the IT resources the organization needs.

Although all clouds promise to provide a responsive and efficient way to deliver IT services, they’re not all created equal. Public clouds are owned and operated by companies promising rapid access to affordable computing resources over a public network — think Amazon Web Services (AWS) or Microsoft Azure. Private clouds are operated to serve a single organization, whether they’re internally or externally managed and hosted. Enterprises with private clouds gain more control and avoid sharing resources with other cloud customers.

The increasingly popular hybrid cloud — such as IBM Cloud — combines public cloud computing and/or storage with a private cloud infrastructure. Though they are independent, the public and private environments communicate via an encrypted connection. The global hybrid cloud market was valued at more than $38 billion in 2018, and it is projected to reach $1 trillion by 2024, according to Mordor Intelligence. While the hybrid cloud market has experienced significant overall growth in recent years — especially compared to other cloud services — it makes sense to proceed cautiously where cloud computing security is concerned.

Is the Cloud Secure? Only If You Think About Security First

It’s easy to get swept away by the advantages that a hybrid cloud could provide in handling fluctuating workloads and mushrooming data sets. Many industries, particularly financial, retail and healthcare, are racing toward cloud adoption. But in the rush, security can sometimes struggle to keep up.

In one 2017 study, 42 percent of organizations reported an attack within their hybrid cloud environments, according to Capsule8. Although the cloud provides some protection against zero-day exploits and insider attacks, enterprise security teams must ultimately secure workloads and data in the cloud just as they do for on-premises environments. This can be tricky. Consider the fact that 44 percent of respondents to a Firemon survey reported that IT staff or application owners are responsible for securing the cloud, not their security teams.

Security organizations need a robust framework to manage advanced threats, compliance requirements and the accelerating pace of business.

Why You Should Consider Containers

Application containers have evolved alongside hybrid cloud adoption. Containers bundle apps with all their operating system dependencies, giving organizations the agility to develop and deploy software faster and to provision and start applications quickly. Containers isolate applications from one another and the host, improve security, and encourage teams to adopt the principle of least privilege — granting access only to users with a demonstrated need.

Because containers run the same in development as they do in quality assurance and production, it’s easy to move them between environments, including clouds. And they have the potential to be more secure because they’re never patched and are simply replaced by new versions. This shifts a large portion of the security controls toward the earlier end and into DevOps.

Build Security Into the Design Process

DevOps refers to software development (Dev) processes combined with IT operations (Ops). DevOps shortens software development and better aligns the process with business objectives. Before applications are ever put into production, developers need tools that automatically highlight security risk and report vulnerabilities in code. When DevOps centers on security — as DevSecOps— access management, authentication and authorization become easier in both native and migrated cloud apps. But DevSecOps also means that development, operations and security teams have to join forces.

Cloud computing security must work in conjunction with DevOps. Embedding security from the start can allow much greater operational efficiency and less lost productivity after a breach. Given that hybrid cloud architecture spans multiple systems, it can broaden an organization’s attack surface. And yet, few companies have sufficient resources to secure the full range of environments. Automation is the key to scanning for vulnerabilities, applying consistent policies for identity and access management (IAM), reviewing logs and records, and ensuring a seamless experience for users.

Recognize Your Responsibility

Too many enterprises adopting public or private cloud environments fail to understand who is responsible for security. As one major cloud service provider (CSP) stated, they are responsible for the security of the cloud, and the enterprise is responsible for security in the cloud, including all the applications and databases running there.

True cloud security takes a collaborative effort, but CSPs provide varying levels of security, and what’s covered can depend on whether you’ve signed up for a software-as-a-service (SaaS), platform-as-a-service (PaaS) or infrastructure-as-a-service (IaaS) model. Therefore, security teams must understand which security and compliance provisions their CSPs include and complement them to stay on the right side of regulations such as the General Data Protection Regulation (GDPR) and the Payment Card Industry Data Security Standard (PCI-DSS).

No matter what services your enterprise chooses, your security organization and IT team must still protect customer data, enforce access controls, monitor for malware infiltration and educate users. Your architectures, policies and tools must be consistent across every environment — from on-premises to public or private clouds to endpoints — to guard against constantly changing internal and external threats.

Learn more about securing your hybrid cloud

 |  |  |  |  |  |  |  | 
Diana Kightlinger

More from Cloud Security
November 1, 2023

What is data security posture management?

3 min read - Do you know where all your organization’s data resides across your hybrid cloud environment? Is it appropriately protected? How sure are you? 30%? 50%? It may not be enough. The Cost of a Data Breach Report 2023 revealed that 82% of breaches involved data in the cloud, and 39% of breached data was stored across multiple types of environments. If you have any doubt, your enterprise should consider acquiring a data security posture management (DSPM) solution. With the global average…

October 19, 2023

Endpoint security in the cloud: What you need to know

9 min read - Cloud security is a buzzword in the world of technology these days — but not without good reason. Endpoint security is now one of the major concerns for businesses across the world. With ever-increasing incidents of data thefts and security breaches, it has become essential for companies to use efficient endpoint security for all their endpoints to prevent any loss of data. Security breaches can lead to billions of dollars worth of loss, not to mention the negative press in…

October 3, 2023

The importance of Infrastructure as Code (IaC) when Securing cloud environments

4 min read - According to the 2023 Thales Data Threat Report, 55% of organizations experiencing a data breach have reported “human error” as the primary cause. This is further compounded by organizations now facing attacks from increasingly sophisticated cyber criminals with a wide range of automated tools. As organizations move more of their operations to the cloud, they must also become increasingly aware of the security risks and threats that come with it. It’s not enough anymore to simply have a set of…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature