Thanks to marketers, salespeople, and old school big-iron IT grognards, the term “Cloud Computing” has become as amorphous as its puffy, shapeshifting namesake. Movies, commercials, scandals, and phone features have thrown the term around to the point where it has become very difficult for the average IT professional to define. Cloud has hit a point in its hype cycle where people understand just enough to be dangerous — and this lack of knowledge tends to lead to misconception and oversimplification of an otherwise deeply stratified and diverse set of technologies.
In this blog post, I aim to debunk for the Cloud Noobs out there one of the biggest misconceptions I’ve heard in the past few years about cloud computing — that it’s less secure than doing it in your own datacenter.
For the purpose of this brief cursory debunking, I’m going to focus specifically on Infrastructure as a Service (IaaS). IaaS basically means that you’re purchasing “bare metal” computing power on a consumption-based pricing model. Think of it as renting a computer somewhere else in the world and accessing it over the Internet. And therein lies the confusion. It’s not unreasonable for people to think that since you’re accessing the computer over the Internet that it’s actually sitting in a data center someplace where it will commingle your data with every other Tom, Dick, and Harry’s data. But when implemented properly, that’s just not the case.
Think about the things that make a computer system secure:
- Physical Security
- The best cloud computing companies take pride in the fact that you cannot come for a tour. You can’t even get a mailing address for the data center. Their employees are heavily vetted and their physical controls continue to push up on the top of the line. They can afford the best of the best. You probably can’t.
- Network Isolation/Segmentation (Firewalling)
- A properly maintained virtual private cloud experience creates a semipermeable membrane to the Internet to be as permissive or restrictive as your needs require. Large enterprises trust these isolation bubbles to be hard wired or VPN’d into their on-premises networks to serve as an extension of their trusted infrastructure. This is because the protections are deep, real, and fastidiously maintained. While your on-premises network team may be a few patches behind on their switching and firewall maintenance, this cannot be allowed in a cloud environment where critical workloads are running.
- Vulnerability Management (Patching)
- When is the last time you patched your VMWare farm? I hope you can remember that far back. Your cloud provider is staying on top of the vulnerabilities in their computing, storage, and network tiers continuously. And due to the clustered nature of their hosting environments, you don’t even notice when the patches hit. The bottom line is that a good IaaS provider will have an updated, task-focused infrastructure for your workloads to leverage.
- Data Protection – Isolation, Encryption, and Secure Disposal
- Your data is not accessible by others in a good cloud environment. If you’re really concerned, which you shouldn’t be, you can always ask for dedicated hardware to be used for your workloads. But that’s really only necessary if you have a regulatory need.
- Most providers also provide you the option of encrypting your drives. On premises, this is arduous, expensive, and questionably valuable due to the physical control that lets you sleep at night. In the good IaaS world, you can get an extra warm blanket of encryption to help you sleep.
- As for disposal, a properly operated and certified IaaS provider takes no chances with data loss from disposed drives. Every drive is wiped to DoD standards between reuse and every drive is shredded and melted down at death.
Please bear in mind that with all of the above, I’m assuming that you’re dealing with reputable, established, auditable cloud hosting providers. I personally am a huge fan of Amazon Web Services (AWS) and I know that they continuously push the bar higher on how well they implement those controls and others to ensure that their side of the bargain is as secure as it can be.
Yeah – you can do all of those things I mentioned. You might even do them well. But for the rest of us who have to spend our days maintaining applications, keep users happy, and respond to incidents left and right, it’s a great feeling to know that your bare metal is secure by default.