For many organisations, the prospect of migrating their IT infrastructure to the cloud is becoming increasingly attractive. The key benefits being cost savings, scalability and more time to focus on their businesseses and applications important to customers. Many adopters have also realised that moving to the cloud can help them increase their security visibility and effectiveness, says Bill Murray, global head of Security Programs, Amazon Web Services.
While the advantages of moving to the cloud are obvious, some questions must be asked and answered in order to do so securely and efficiently. For example – who owns security at each level?
Positioning security first
Security should be every reputable cloud provider’s top priority. However different cloud offerings provide different levels of security so it is important to understand who has responsibility at each level. Software as a Service (Saas) cloud providers bear the majority of the responsibility for security. Platform as a Service (PaaS) providers have a lesser amount of the security pie, while with Infrastructure as a Service (IaaS), customers and the cloud provider share security responsibilities. Looking at physical security, the cloud provider is responsible for the data centers in which the cloud operates. This means managing access control, guards, fences, gates, alarms and cameras at its facilities. The provider must ensure each meet stringent guidelines for design and operation. Likewise, the CSP is responsible for the virtual security of the network – the millions of servers, switches, load balancers and virtual machines in those data centers.
The savvy cloud customer will demand that their cloud providers provide proof that they have achieved certifications and accreditations, proving the security of their offering. These certifications and accreditations need to be conducted by reputable third party auditors, who measure these security controls outlined by heavily regulated industries like government, health care, and finance.
The most widely respected and applicable of these certifications is ISO-27001. Developed by the International Standards Organisation, the ISO 27001 controls are accepted by companies around the world. Cloud infrastructure providers should also undergo Service Organisation Controls 1, 2 and 3 (SOC 1, 2, 3) audits which test financial, operations and compliance controls. The ability of auditors to certify the security of a cloud provider’s technology infrastructure helps chief information security officers in evaluating cloud technologies. Customers may also like to see certifications and accreditations for their particular industry – one such example being the Payment Card Industry Data Security Standard (PCI DSS) Level 1, applicable to the credit card payments and the ability to securely maintain personally identifiable information.
Your own corner of the cloud
Some providers, such as Amazon Web Services, also offer the opportunity to customers to carve off their own isolated section of the cloud to create what we call a Virtual Private Cloud. In this case, customers have the complete control over their virtual networking environment, including selection of their own IP address range, creation of subnets, configuration of routing tables and network gateways, and their associated firewall rules. This service is used by organisations who may want to use the cloud as an extension of their existing datacenter; allowing them to do this while also allowing the flexibility and low cost of cloud computing. There is nothing inherently at odds about providing on-demand infrastructure while also providing the security isolation companies have become accustomed to in their existing, on-premises or colocation environments.
Sharing the security responsibilities
While the cloud can provide a higher level of physical and logical security than most organisations can afford to do themselves, it is important to note security, as a whole, is a shared responsibility between the customer and the cloud service provider. Cloud providers can be very secure. However, if a customer launches an unpatched or vulnerable application in the cloud, they run the risk of compromise. Conversely a customer who runs a very secure application in an unsecure cloud environment runs the same risk of compromise. The nature of this shared responsibility is to provide the flexibility and control that permits customers to deploy applications that meet their specific needs.
Most organisations don’t have the luxury of dedicating resources to physical or virtual security. The reputable cloud provider should be actively investing in security technology, processes and personnel. Cloud security is achievable at scale, and we look forward to watching organisations continue to innovate on their IT practices and reap the benefits of operating in a secure, highly available and cost-efficient technology environment. We have many examples of customers around the world that have been able to enhance, if not just maintain, their own high levels of security by moving to the cloud. One such example in South Africa comes from the financial services space.
Secure South African Applications
Entersekt is a South African based start-up technology company that works with numerous banks across Africa, Europe and North America and helps them to take advantage of the cloud. Entersekt is working with banking institutions such as Nedbank, Capitec Bank and SwissCard to supply them with highly secure mobile applications that take advantage of Amazon Web Services.
Entersekt’s mobile applications help improve the security of the retail banking experience and allow users to authenticate individual transactions, such as online card purchases and online wire transfers, by simply choosing to “Accept” the transaction when prompted on their mobile phones. How Amazon Web Services helps this solution is with the ability to scale and ease of deployment and by supplying an infrastructure that is ISO 27001 and PCI DSS Level 1 compliant straight out of the box.
For banks, having millions of phones connecting into their infrastructure can be a total scaling and security nightmare. This problem is solved by Entersekt and the AWS Cloud. With the Entersekt system, data is sent fully encrypted from the bank and passed through Amazon Web Services who has the scale to be able to handle massive amounts of mobile phones connecting to its infrastructure. This in turn helps the bank to cope with vast numbers of users connecting securely to their system all at once. With an extremely small and lightweight installation at the bank to handle the encryption efforts, Entersekt is able to support vast amounts of mobile users as all the heavy lifting is ultimately done in the Cloud.
During high transaction periods, such as the end of the month, when people are being paid, or the end of the year, around the holiday and shopping seasons, the system is able to scale up to cope with the vast amount of banking transactions taking place and in the quieter periods the infrastructure is able to scale back down again. This means that financial institutions only pay for the technology they need, when they need it, and don’t over provision hardware to cope with seasonal peaks. By using this cloud based system banks have been able to give their customers a more secure and better retail banking experience all while reducing online phishing fraud to an absolute 0%.