Can you trust Cloud?
Read before you question the Could Security
How have things emerged
In 1983 when the internet was first born, engineers had one mission: get it working.
Speedy development, connecting the world, and pushing boundaries were the main focus.
Security? That was secondary (an afterthought)
Only later, when nefarious actors emerged, did we realize the gaps in the walls we hadn’t built.
No doubt, They added layers of defense. Encryption was used more widely, and the Internet became more secure.
Since then we have come a long way, maybe in the world of AI 🤷♂️.
Users are everywhere, and with this increasing perimeter cloud computing entered the game.
Companies are fascinated by the easy scalability system offered by the CSP (Cloud Service Providers).
But the question raising is, Can We Trust the Cloud?
Why are companies still afraid to use the cloud?
Companies have some strong regulations about storing their sensitive data and they don’t want to expose them even to cloud providers.
It is scary to know that CSP admins can access your data when it is in the cloud.
Of course, this is a theoretical case, we trust that AWS admins ARE NOT interested in clients’ data yet the question is valid, Should we trust?
Furthermore, here is an interesting edge case: you might trust the CSP, but not the country in which they are located or under whose laws they operate.
CSPs have back doors or ways to access your data because they are required by law to hand over data to authorities in certain cases that you might not even be informed about.
This is where trust again moves outside of the digital domain into a broader world.
Should you trust the Cloud?
In the context of security, there is no such thing as a trustworthy party and no incentive for giving any individual or group the full trust.
We don’t trust cloud platforms to encrypt our data on the server, so we might choose to encrypt data on the clients.
Yet the question is the same, can you trust the client?
This is turtles all the way down.
You have to establish a trust anchor somewhere or else you're just stuck in untrusted land and can't get anything done.
At this point, given the magnitude of the scale of AWS (major CSP), you're in the column of "security through obscurity" in the sense that it's a huge ocean and you're a minnow.
Given the profit portfolios of CSPs like these, it's definitely in their best financial interests to keep your data safe.
What you should be more concerned about is implementing the security system offered by the CSPs.
By using a vendor to manage your data plane you're always going to be susceptible and need to weigh the risks posed by this decision.
Engineering is what we consider the art of risk management after all.
How CSPs should see the “TRUST”
Possibly the biggest challenge for CSPs is gaining customers' trust, which can only be built through transparency.
By keeping everyone in the loop on who handles what areas of the business, CSPs can improve accountability, identify threats faster, and easily comply with the legal regulations in different regions.
CSPs must be able to make their customer trust them less, to gain their trust.
Simply knowing that your cloud provider is working in the direction of reducing the amount of trust you need to place in them will probably make you trust them more.
Meaning, Providing customers full authority over the control of their data while it is in the cloud.
How’s the cloud secure?
Major CSPs invest billions of dollars to build first-class high-security data centers and have top-class security experts to protect the cloud customers’ data.
Look into how some major data centers are designed, with multiple layers of redundancy and immense security implementations.
Also, you can get a lot of tools like WAF, IDS, CSPM, SIEM, top-notch encryption, and replication across multiple data centers, or even regions.
Can’t we build it on-prem?
In theory, it could be done but from a financial perspective it will rarely be viable and the economies of scale the cloud providers have are their trump card.
Bear in mind we need to consider environmental security (fire, flood, quake, etc.) and not just unauthorized access.
There's so much more to security than just physical, we need to address integrity and availability as well as confidentiality.
Let's say you have a business-critical application. How much is it going to cost you to mirror the system across two or three separate locations?
For many businesses that simply isn't an option with the on-prem model, they don't physically have the means or it's cost-prohibitive.
For those that can do it, two will usually be their limit.
In the cloud, you can configure combinations of local, zonal, and regional redundancy to your heart's content.
It’ll take you longer to decide what you need than to implement it.
You can have a secured system across multi-az in a matter of minutes or hours and turn it off just as quickly.
Companies that refuse to even consider the cloud, often due to a lack of understanding.
It's not just somebody else's computer, it's a paradigm shift in how we can deliver IT services to the business.
Shared Responsibility Model, What’s your role in making a secured system?
Cloud security breaches consistently make news headlines.
In nearly all cases, it is the user, not the cloud provider, who fails to manage the controls used to protect an organization’s data.
CIOs must change their line of questioning from “Is the cloud secure?” to “Am I using the cloud securely?”
As a cloud service customer, it's important to play your part in maintaining data security.
Always use the security functions embedded in your cloud solutions.
Implement data authentication methods:-
↳ Secret Questions
↳ Facial Recognition
↳ Fingerprint IDs
↳ One-time Passwords, etc.The more unique and time-bound your authentication modes, the stronger your security system.
When you need to process sensitive data, use Confidential Computing. It’s a way for organizations to process data while preserving confidentiality.
Have full control over your key access, Keep the key access away from the Cloud.
After all, if nobody outside of a customer has the keys, nobody can compel any 3rd party (including a CSP) to reveal the keys and, hence, the sensitive data.
Familiarise yourself with the data security options offered by your CSP, and understand which software layers you are responsible for.
With IaaS, the vendor secures infrastructure; you handle OS, app, and data security.
With PaaS, you focus on securing the app and data.
With SaaS, your responsibilities are further reduced, you can focus on securing data and user identities.
Moreover, You're responsible for ensuring cloud use meets your industry's privacy and compliance standards.
This includes conducting regular audits and risk assessments to spot vulnerabilities and compliance issues.
Additionally, you should foster a culture of cybersecurity and privacy within your business.
This includes:-
Develop security and privacy champions in each team,
Educate employees on security best practices,
Prioritize risk management,
Design processes with security at the core &
Foster an agile, collaborative environment.
Conclusion
As cloud usage explodes, security can't be an afterthought. It must be woven into the cloud computing fabric.
Instead of questioning “Is the cloud secure?”. Ask yourself “Am I using the cloud securely?”
You must play your part in maintaining data security.