“The cloud is not secure enough”

Maybe you are scared to deploy your applications on public cloud, because you think it is less secure. You rather want everything on-premise, because you think you don’t have to think so much about security. You are wrong. Most attacks will happen on other levels (e.g. Application Level), and whether your application is running on on-premise infrastructure or in the cloud, it doesn’t really matter. Nevertheless, cloud providers provide a comprehensive set of tools to protect your sensitive data. Let’s have an overview.

Sensitive Data

Protecting data is a priority for every company, whether it’s internal data or (highly) confidential information. Having personal identifiable information makes privacy regulations and procedures kick in. What can we do to protect our sensitive data?

Privacy Regulations

In Europe we have the Data Protection Directive, which has been implemented by all the EU countries. In practice this means that there is free movement of data within European countries. The directive states that “personal data can only be transferred to countries outside the EU and the EEA when an adequate level of protection is guaranteed”. Luckily, most of the public cloud companies have data centers within the EU, so pure legally speaking, we’re safe there.

Privacy Policy

What is our privacy policy saying? Every company should have a privacy policy to ensure that all personal data is kept safe, and controls are enforced. Bigger companies have separate procedures when data goes to external parties. More controls to safeguard the information will often need to be implemented. The good news is that public Cloud providers did an extraordinary effort to give us the capabilities we need to secure our data and to pass our audits effortless. Let’s see in a bit more detail what’s possible.

Physical Security

How can you verify physical security of a data center? Companies often go and do assessments themselves, but most companies lack the knowledge to properly assess physical security. You can go to a datacenter, watch all the lights on the servers blink, but it’s probably not going to give you any useful information. We should therefore rely on the assessments those companies have gone through. Amazon AWS for instance is ISO 27001 certified, DSS and PCI Level 1 compliant. They undergo a yearly SOC 1 audit and have been successfully evaluated at the Moderate level for Federal government systems as well as DIACAP Level 2 for DoD systems (Amazon Security information).

Encryption at rest

I’ll use Amazon AWS again as an example, because they have to most comprehensive security implementations. Data on Amazon is stored in S3 and EBS. Both support encryption. They even go a step further. If you want to manage your own keys, just to make the keys are revealed to nobody, you can do so. You can supply your own key for every object in S3 you write. To make it easier, you can also use Amazon’s Key Management Service. These features are so hard to implement in your own non-cloud environment, that most of the companies don’t even implement them.

Encryption on the wire

All data in transit can be encrypted, and most of it within will be encrypted by default. Make sure that your application is using HTTPS to communicate with other services or users. You will need to know how data is exchanged in your application. If you application is not accessed through the internet, you should disable internet access in your subnet and work through a VPN. There are also options to have a physical link to Amazon, called Direct Connect.

Good Security Measurements

Good security measurements happen in layers. Just protecting your data on infrastructure level is not enough. You’ll need to ensure that you have security measurements in place on application level, on authentication, authorization. You will need proper procedures when laying off personnel, and so on. A good place to start is CISSP.