For SMBs, using cloud and managed hosting services relieves IT of the need to buy, house, and manage infrastructure, and of many associated costs and tasks. But "going cloud" does not eliminate all in-house IT responsibilities -- including security.
To be sure, a cloud/hosting provider must be responsible for many aspects of IT security. How much depends in part on whether you are simply using infrastructure, or also using applications and other services from the provider.
But, in general, whatever your company does using provider services -- running on them or connecting to them -- it is up to your company to make sure they are properly secured.
In his "Schneier on Security" blog, security/privacy expert Bruce Schneier points out "Cloud providers have the potential to be far more secure than the corporations whose data they are holding. It is the same economies of scale. For most companies, the cloud provider is likely to have better security than them -- by a lot."
Here's a look at what aspects of IT security you can -- and can't -- look to your cloud vendor to handle, according to Kostyantyn Bezruchenko, CTO of global cloud platform and hosting provider Servers.com.
Security Your Cloud Provider Should Provide
"For Servers.com, cloud and hosting IT security begins at the hardware configuration level," says Bezruchenko. "For example, at the network level, we have a fully redundant private wide-area network, isolated at the hardware level," says Bezruchenko. "The private networks ensure the security of communication of customer processes among servers and storage both within and between our data centers, such as virtual machines, containers, and clustering."
"Because a cloud is a mix of different hardware components, which may be highly dependent one from another, physical security is more important for cloud than for typical bare-metal server infrastructure," says Bezruchenko.
"However, it's way more important to keep software infrastructure up-to-date, since any security breach can lead to massive data exposure of all virtual machines running on the same host," says Bezruchenko.
In terms of software, what you can expect depends in part on what services you are purchasing. If you're buying bare-metal hosting or cloud virtual machines, the provider is responsible for the security of the platform -- but security for the applications, data, and interactions with other systems and with users is likely to be up to your company.
"Security common across all service provides includes network firewall, web application firewall (WAF), private networking, and DDoS protection," says Bezruchenko. "We already have the last two, and are working with various vendors to implement network and web application firewalls."
Along with security proper, your cloud provider is responsible for some of the regulatory compliance requirements -- but check carefully, as your company is likely responsible for ensuring security compliance of your software architecture and your applications.
"Not every enterprise can afford to maintain same service quality as data centers do," says Bezruchenko. "Nowadays, keeping any data in data center is more secure than on-premises. A data center may be less secure in terms of physical access, but in terms of power and connectivity -- which is also a part of security -- the data center absolutely wins. Take a DDoS attack as an example -- each of our data centers has at least 400Gbps of external network capacity, which may help to sustain volumetric DDoS attacks. It will be hard to do that on-premises."
Cloud-Related Security Your Company Is Responsible For
"We, as a service provider, can only provide a secure infrastructure and some additional instruments, like private networks, DDoS protection, and firewalls," says Bezruchenko. "However, the most important part is customer application security. We can only suggest customers to run penetration testing before an application goes live, and use qualified sysadmins to secure their servers.”
This includes securing all the applications, and managing passwords and permissions. It may include operating system instances, system images, and virtual machine and container templates, which are come "out of the box" needing to be secured. It also includes securing all interaction between your company's IT and the cloud provider, including APIs and the network connections.
Because your developers and administrators are working "remotely" with cloud resources, you need to provide secure remote-access methods, tools, and procedures -- and be sure that all access credentials, and the tools that manage those, are well-secured.
You also need to make sure that the same level of IT security you use for your own systems and networks is applied to your cloud activity, such as network firewalls and intrusion detection/monitoring.
It's also advisable that you do regular backup of data that's stored in the provider to a separate third-party service.
Security Questions For Your Cloud Provider
Here are some security questions to ask a prospective cloud provider:
Multitenant security (shared environments): How do they ensure that other tenants (i.e., unauthorized users) won't be able to access your private data?
Securing the virtualization layer: Similarly, for servers hosting VMs from multiple customers, how are these secured?
Regulatory compliance: How do they help you identify, and comply with, all relevant industry and geographic/political regulations? Which ones are the provider responsible for?
How do they prevent "shadow cloud" activity of their services by your employees and contractors?
Do they offer encryption? Does that include key management? If so, who has access to the encryption keys?
Do they offer identify and access management? File integrity monitoring?
Do they offer integration points that work with whatever identity and security you are using?
In general, ask your target cloud provider what security they do -- and don't -- provide, and what if any services they offer to help your company fill in those gaps.