Cloud security is NOT an oxymoron

Not a day goes by when one of my customer says, "but cloud is not secure" or "but, but I can see and touch my servers". Usually I spend the next 30 minutes explaining them just because they control physical access to their servers in a data center doesn't mean they are secure.

Amazon Web Services (AWS) uses a shared security responsibility model - they take care of securing physical access, network layer protection, data center and edge location security. The customer is responsible OS-level security, firewall (security groups), securing application data etc.

Even though the security responsibilities are split, AWS provides several tools at to secure your resources. A few sample tools:

• Block all inbound access by default firewalls aka security groups at instance level.
• Extremely tight control over resources in Virtual Private Cloud (VPC) including Network Access Control Lists (NACLs), private and public subnets, dedicated instances that run on hardware that's dedicated to a single customer, control over networking and subnets, tunnel VPC traffic back thru your data center using VPN connection.
• Control the level of access your user's have to your resources using AWS Identity and Access Management (IAM) service. You can also enable Multi-Factor Authentication (MFA) for an extra layer of security - users need to a 6-digit authentication code every time they access AWS services.
• All services have secure API access, most end points provide secure HTTPs access.
• Storage services that offers encryption at rest using strong AES 256-bit keys.
• From securing load balancer using SSL termination to keeping track of every action performed by your users using the CloudTrail service, AWS has well-thought out building blocks that enable organizations to establish the most secure footprints that we could only dream of in the past.
• AWS Trusted Advisor console provides an overview on unrestricted ports, MFA status, S3 bucket policies, IAM usage and more.

So how can you go wrong with so many security options at your disposal? :-) And its in Amazon and Azure's interest to keep innovating on security front so that customer's adopt cloud technologies in droves and stay on. And I haven't even covered the laundry list of assurance and compliance certifications these CSPs ((Cloud Service Providers) have received.

By contrast, the only security I've seen in data centers is a perimeter firewall and SSH (Secure Shell) tools used by systems administrators and developers. The software on the firewalls are rarely updated, the old firewall rules aren't re-validated periodically and the admin's SSH public keys are copied to every host in the data center - you know for convenience and scripting. On the other hand, CSPs make security easy to use by making it an integral part of the service forcing you to evaluate security practices at every step.

Still think your data center is secure? Feel free to comment or contact us for a Free 5-day Workshop on cloud & DevOps technologies. We'll get you started the right way!