As a system administrator during the early days of the “cloud revolution” I found the “cloud” metaphor an interesting choice to frame the technology stack.
Clouds, in my mind, were “woolly” and hard to pin down as opposed to the omnipresent, always-available things that IT marketers were suggesting cloud services would be. But whilst I wasn’t a fan of the metaphor, I could easily see the benefits of cloud-hosted services as more and more businesses started to adopt both public and private cloud solutions.
The debate of public versus private cloud doesn’t get nearly as much press as it once did, with the cost of public cloud aggressively nipping at the heels of private cloud hosting services and vendors rushing to add more and more features to their cloud offerings. This is especially true in the security field, with public cloud suppliers looking to try and further differentiate themselves from private cloud networks which have traditionally offered the greatest level of flexibility and thus potential for tightest security. (This presumes, of course, that you were prepared to build out that security stack yourself!)
In my mind, private cloud remains a powerful way of keeping security controls internal – a key element when security is a priority. When you need to add a new security function to your private cloud, the main challenge in most cases is how quickly you can deploy the toolset. This, in turn, ensures that you can increase your security coverage quickly and easily. But there are costs to this – by keeping your infrastructure in your own private cloud, it is on you to maintain the state of your security “garden,” and you need to make sure you’re pruning the weeds and ensuring ample coverage all year round.
Public cloud, on the other hand, allows you to potentially outsource your security objectives and may make security “not your problem.” Those of you used to assessing risk will probably hear some alarm bells ringing at that concept, but problems unseen are harder to manage that those you have direct control over. If your vendor’s security history is patchy or untested, this is particularly worrying.
There are some additional nuances to consider relating to public cloud that may be missed in relation to security. A centrally hosted management service means that access is potentially available anywhere, which makes taking additional precautions (such as multi-factor authentication for logins) all the more important. (Although it may be distributed, most big cloud providers will provide a single URL for administrator access.) Also consider that all your management control instructions will travel across the public internet. Of course, that is almost certainly happening over SSL, but a plethora of man-in-the-middle attacks over recent years have shown that even with HTTPS, there’s a risk (particular on networks outside of your control) for people to intercept or manipulate traffic that is harder to detect. – Read more