How Secure is Cloud Computing?

Cloud computing is no longer a new and emerging technology. These days, all manner of businesses routinely rely on the cloud to store, manage, and access their data. Many more rely on the cloud to provide business-critical Software-as-a-Service (SaaS) capabilities. And more fundamentally still, a growing number use the cloud to house business-critical servers and other virtual machines. Rightly, too, cloud data centres are regarded as more secure and resilient than on-premise infrastructure. But that doesn’t mean that businesses can forget about security when it comes to the cloud: far from it. So how secure is cloud computing and what do you need to consider?

Well, while cloud service providers handle some aspects of security, they don’t handle all aspects of security. It’s important to realise that you, the customer, are also responsible for aspects of security.

This gives rise to several challenges.

Cloud security misunderstandings

First, there’s often confusion about cloud service providers’ overall responsibility for security. Indeed, it’s not unknown for some businesses to think that their cloud service provider is handling everything, with the business itself responsible for nothing.

Second, even when businesses understand that cloud service providers take care of only some aspects of security, and that they the customer are responsible for other aspects, there can often be confusion about who exactly is responsible for what. The result: vulnerability gaps, where businesses erroneously imagine that their cloud service provider is taking care of something that they aren’t.

And third, even when that confusion doesn’t exist, or has been ironed out, businesses may simply be unclear or uncertain about how they should properly protect themselves. Security within the four walls of the business is one thing, and security in a hybrid on-premise/ cloud environment is quite another.

And let’s be clear: every business that’s using cloud services is hybrid. If you have an end-point in the business (and you will), then securing that end-point is your responsibility. Because if it’s left unsecured, it can undoubtedly threaten the integrity of the data and systems in the cloud.

Security superiority

Now, no one’s saying that businesses shouldn’t use the cloud. Compared to traditional ‘on-premise’ infrastructure, the cloud offers considerable cost savings, scalability, and flexibility.

And no one’s saying that the cloud, and cloud data centres, aren’t secure. Indeed, cloud data centres generally utilise state of the art physical and digital security controls. It is not uncommon for businesses using the cloud to find that it actually aids them in securing ISO 27001 certification.

The cloud, in short, offers businesses high levels of performance, superior security, and potentially significant cost savings.

So the point at issue isn’t the security provided by the cloud, or by cloud service providers. Instead, it is the potential vulnerabilities caused by businesses either not properly understanding their own security responsibilities, or where the security provisions that are delivered by the cloud fail to dovetail properly with the security provisions delivered by the business.

Who is responsible?

Take network controls, for instance. Obviously, in an on-premise scenario, the business itself is 100% responsible for security. In the cloud, that’s not the case.

To what extent a business is responsible depends on the cloud capability that the business is making use of. In a SaaS scenario, for example, security is generally the responsibility of the cloud service provider. That’s also true of Platform-as-a-Service (PaaS) scenarios. For Infrastructure-as-a-Service (IaaS) scenarios, though, responsibility is shared—so it’s vital for the business to know exactly how it is shared.

For security in terms of application-level controls, however, the situation is different. The cloud service provider has sole responsibility for security in the SaaS scenario, no responsibility in the IaaS scenario, with responsibility being shared between the cloud service provider and the business when it comes to PaaS.

Identity and access management? Customers are wholly responsible in an IaaS context, but in the SaaS and PaaS scenarios, responsibility is again shared. And, again, when responsibility is shared it’s vital to know exactly how it is shared, so as to be clear about who exactly does what.

This is a recurring theme, whichever aspect of cloud security is under consideration: clarity is essential, if vulnerabilities aren’t to emerge, due to a flawed understanding of how responsibilities are divided up.

So how secure is cloud computing? The answer is extremely secure by all accounts when correctly managed by appropriate parties. Below is the public cloud shared responsibility model to give an understanding of who is responsible for what aspects of cloud management:

Securing the cloud

What to do? We can help.

We’re Aspire Technology Solutions, and data security is one of our core competencies, whether you’re talking cloud-delivered Software-as-a-Service, cloud-delivered Infrastructure-as-a-Service, or simply cloud-hosted data storage.

Our team of certified security experts can manage all your security needs. Our UK-based Security Operations Centre operates 24/7/365, and monitors and manages IT security for businesses just like yours. With highly skilled staff, leading edge software tools, 24/7 vigilance, and proven IT security methodologies and toolsets, we single-mindedly focus on keeping your business secure—on-premise, and in the cloud.