Three Public Cloud Security Myths

Organizations Don’t Have to be Fearful of Public Clouds, They Just Need to Better Understand Them.

At the RSA Conference earlier this month, there were two topics that seemed to prevail: mobile and cloud security. As more mobile payment platforms and applications arise, 2012 will be a year that highlights a whole new set of vulnerabilities. A recent hack on Google Wallet is just one example of what’s to come. And the Cloud Security Alliance announced new initiatives specific to mobile security.

The cloud security discussion is of course already well underway and was only heightened at the event. There is still quite a bit of speculation around the ability for a cloud infrastructure to be truly secure. Today I’d like to tailor that debate even further and discuss one of my favorite topics: the public cloud. Here are three myths about public cloud security.

You can’t achieve regulatory compliance in cloud environments.

Many folks don’t know that the Payment Card Industry (PCI) has enacted guidelines that specifically address public cloud environments. In fact, PCI-DSS 2.0 was written with a strong emphasis on virtualized environments. The technology and means are there, it’s just that many vendors and companies aren’t yet spending the money and taking the steps to achieve them. Because the public cloud is inherently a shared infrastructure, public cloud providers are in a unique situation to provide regulatory compliance controls. By deploying security measures carefully and cross-mapping controls for compliance such as PCI and HIPAA, even non-compliant customers reap some of the benefit. Compliance in itself is not security. But being able to produce a compliant infrastructure is big piece of the pie. The point, however, is that it can be done.

If one company in that cloud gets hacked, everyone else is vulnerable.

Albeit a common perception, public cloud hosting is not shared hosting. While organizations are using a common shared infrastructure, the data, networks and device policies can be completely segregated. It’s possible to setup the public cloud environment in a way that forces all external and semi-external traffic to traverse the network. This means companies will be subject to the same security countermeasures and inspections regardless of the source of traffic. For instance, if an organization running an Ecommerce site and another organization that uses their services co-exist on the same public cloud infrastructure, the client traffic would be forced to exit the infrastructure and come back in as if they were sourcing from the Internet. Complete logical segregation is possible, and it’s necessary for security, as well as most regulatory compliance.

The Cloud can never be as secure as a dedicated server.

The 2011 Verizon Data Breach Investigation Report points out that internally hosted, internally managed infrastructures are breached most frequently. This is because the management of these types of infrastructures is typically less focused on the day-to-day security than those that are using cloud or virtualized environments. This is a similar characteristic in most industries. If architected and managed properly, there is no evidence that a public cloud environment is any less secure than a traditional, dedicated one. A cursory look at Google Search Volume Index statistics reveals evidence that organizations are ditching their dedicated environments for cloud alternatives. Public cloud environments are typically built and maintained by companies that are constantly monitoring and managing the infrastructure for integrity and vulnerabilities – always working to improve and secure the environment. The Cloud Security Alliance has implemented standards and procedures that, if followed by vendors, can actually mean cloud environments are being better cared for from a security standpoint than dedicated.

If we learned anything at the RSA Conference this year, it’s that cloud infrastructures can be secure, and they must be for the need is growing quite fast. In this vein, organizations don’t have to be fearful of public clouds. They just need to better understand them.

Read More in SecurityWeek’s Cloud Security Section!