As we discussed in an earlier post [link to cloud fears entry], it's a little late in the game to be wholly suspicious of cloud computing. However, there's still a lot to talk about in terms of securing the cloud.
The security features offered by public cloud providers represent only a part of the shared responsibility model; the other part falls within your organization's responsibility. For example, your public cloud provider may offer security groups for identity and access management (IAM) and firewalls that scan traffic on specific ports and to and from specific IP addresses. However, there are still a number of ways your users may inadvertently route around these security measures; creating virtual IaaS servers running old, unpatched software, for example
Sadly, this is where the security groups and firewalls provided by public cloud providers fall short. In Amazon Web Services, the web application firewalls provided can't identify and control traffic based on the application identity, which hobbles your ability to monitor application-specific activities. They also won't keep threats off your on-premises network or keep threats from moving laterally within your virtual or physical environments. Again, you need application specificity in order to impose this level of control. As the public cloud becomes an extension of your data center, advanced security features found only in next-generation firewalls become a necessity. Hence, the introduction of third party security that integrates with your public cloud vendor's infrastructure and completes the shared responsibility model when commissioned to secure your organization's apps and data.
Public cloud vendors have partnered with security organizations to deliver virtual versions of security appliances to the cloud. Palo Alto Networks, for example, offers virtual next-generation firewalls that layer comprehensive security on top of cloud infrastructure elements hosted by Amazon Web Services, Microsoft Azure, and the like.
Cloud providers can generally synchronize their user directories with your own for user authentication. This is important, but it falls far short of security requirements. You'll need a solution like Palo Alto Networks' Next-Generation Security Platform, which unifies security across physical and virtual resources, all the way to the endpoint. With Palo Alto Networks' Panorama for single-pane management, you can apply meaningful security policies across all the resource stacks in use. If, for example, you want to restrict access to certain customer information, like social security numbers, to certain users -- and you want to enforce that policy on-premises and on cloud servers in a test/dev environment -- you need a unified platform with end-to-end visibility.
Research carefully which elements of the cloud service (infrastructure, IAM, database administration, for example) include built-in security. Integrating those elements with your on-premises security measures may be a good start, but partnering with a recognized third party security expert is a smart way to close the gaps and ensure thorough protection.
Learn more about Palo Alto Networks' Next-Generation Security Platform for cloud at go.paloaltonetworks.com/secureclouds.