Cloud Security; What’s Included Versus What You’ll Have To Develop

Nov 28, 2016

With the emergence of globally-applied cloud operations becoming the rule, rather than an exception; more and more enterprises are facing significant challenges when it comes to the development, and employment, of extensible cloud security programs. On first blush, one might assume that the cloud itself would likely harbor the majority of elements associated with the defeat of various security threats; however, in the real world this proposition represents more of a ‘hope’, than a reality.

Consider the touchstone elements regarding today’s business security in the form of email communications, web processing, and broad user-access control. While it is true that the cloud does provide for easy baseline support for each process focus, larger concerns looms in the case of where each of those operations are to be domain-located, along with how one, or more, user bases are to be effectively managed and secured on a dynamic basis.

On top of these more traditional areas of interest, network structure issues apply as well, including the reality that many holistic cloud networks leverage both public and private clusters in parallel, even though they may, or may not, necessarily be security-tight end-to-end. Consequently, in the case of overall enterprise cloud management, these acknowledgements tend to suggest that even more focus will be required to maintain nominal security levels going forward. This means that the enterprise itself will have to clearly understand, define, and internally control what components systems will, and will not, apply; rather than simply leaning on the generic, and somewhat ‘automatic’ nature of the cloud security infrastructure alone.

However, if those concerns weren’t enough, the aforementioned set of negative concerns are also being exacerbated by historically-accepted user patterns that suggest that ‘bring your own’ security systems will ‘probably work just fine’ in conjunction with today’s cloud, even though there is no particular good reason to believe that; driven by an emergent development environment that is largely driven by a sense that ‘continuous is better – or else.’

All together, then, as a cluster of security concerns these challenges represent a cannonball that must nevertheless be swallowed, even though enterprises are likely to choke unless they get the right help, at the right time. What this means are reputable cloud partners to be sure, but more importantly, cloud security consultants who can help businesses navigate their particular minefields.

That said, just what are the current threat vectors, and what do they mean to the cloud-based enterprise? Well, here are just a couple of major areas to pay attention to, while getting your hackles up; but again, please bear in mind that these issues reflect nothing more than a sample construct of just how bad it can really be, unless you pay particularly detailed attention.

Issues associated with general data encryption:

According to excerpts from a 2015 Spiceworks security survey, major problems existed regarding the “…level of fragmentation of controls over data traffic security in the (cloud’s) mishmash of VPNs and network-layer encryption (systems)…76 percent of (respondents) said they need(ed) to use two or more forms of encryption to secure data traffic. More than a third of (respondents) were forced to contend with three or more forms of encryption or VPNs for (dynamic) data (on a daily basis).

The (results suggested that there were) no single points of control or methods to set a consistent, uniform policies for encryption across all network segments or applications. Consequently, there were bound to be gaps and inconsistencies in policy enforcement and data protection.”

Network Segmentation Shortfalls:

“(Respondents) also reported challenges with fundamental network segmentation. (These included) traffic techniques such as firewalls and access control lists, along with the creation of subnets and logical segmentation for internal traffic. However, a majority of respondents indicated that they would like to use data traffic encryption to create fully secure application segmentation but were unable to do so…45 percent said encryption was too difficult to manage to use for segmentation, while 36 percent cited the performance hit on firewalls and network devices when encryption (was employed).

(Clearly) enterprises were acknowledging that data traffic encryption, was a proactive security tool, and was increasingly essential for data over any network.
Classical security architectures were built around the concept that a trusted internal network could be established and protected by firewalls and that applications could be contained within a safe zone. But security analysts, consultants, and penetration testers suggested otherwise, and in many cases, the safest assumption was to apply the opposite: that a network would be breached, malware would appear on internal systems, and that sensitive applications would be extended outside the (central) enterprise perimeter.

It’s (was) also important to note that the difficulty with managing encryption (because of fragmentation) and the performance impact on firewalls and network devices were chief stumbling blocks for these enterprises. The two issues (were) in essence forcing IT managers to make dangerous trade-offs, knowing that they are deploying less than ideal security (elements) in order to make up for the shortcomings of their network systems and firewalls.”

In these two areas of concern alone, note that the potential of security threats represent ‘baked-in’ structural limits that tend to force enterprise developers and operators to respond in detail. Consequently, if a particular firm’s IT cadre is not adept enough to identify and overcome these kinds of problems internally, the only ‘best course of action’ is the engagement of professional help in the form of cloud security consultants, who can help illuminate, and deliver, solutions that clearly respond to these problems quickly and effectively.

Return To Blog

Join the stackoverdrive.io Devops Newsletter

powered by MailChimp!

Learn more about our
DevOps & Cloud Consulting Services

Call 1-844-733-8677 or Fill out the form below