Image
"On the one hand, you may hand over physical control, but on the other hand, you’re almost certainly doing so to an organization better-equipped to manage computing environments than your own," Hunt observes. "Then there are concerns around the increased attack surface of putting services in the cloud, but there’s great things that can be done with virtualized networks and access to features that were previously cost-prohibitive for many organizations (WAFs, HSMs, etc.). So think of the cloud as 'different' and make the most of those hybrid scenarios where you can gradually move assets across in a fashion that suits your own organization’s comfort level."The cloud is certainly different from on-premises resources, so it makes sense that security would be different, too. It follows that organizations must sometimes rethink how they're currently doing things with respect to implementing security in the cloud. Adrian Sanabria, Director of Threatcare, says it's not possible for companies to just "lift and shift" to Amazon Web Services (AWS) or Microsoft Azure without inviting a very expensive disappointment. Instead they must pay attention to the differences and use them. With that said, one of the most important differences in the cloud for Sanabria is the management plane:
"Since everything in the cloud is virtualized, it's possible to access almost everything through a console. Failing to secure everything from the console's perspective is a common (and BIG) mistake. Understanding access controls for your AWS S3 buckets is a big example of this. Just try Googling "exposed S3 bucket" to see what I mean."Consoles aren't the only factor that separate the cloud from physical hardware. Craig Young, a security researcher with Tripwire's Vulnerability and Exposures Research Team (VERT), says the ways in which organizations can choose to process data in the cloud also stand out:
"Cloud service providers allow customers to build complex private network environments suitable for processing even the most sensitive data. The confidentiality of this data rests on security controls unlike those commonly used on-premise, and a slight mistake can ultimately expose this sensitive data to the public Internet. Network administrators need to keep a close eye on the external view of all IP space allocated for their cloud. Vulnerability scanners like Tripwire IP360 make it easy to recognize exposed services and close them up before attackers can exploit them."Understanding how cloud security differs from datacenter security is crucial for organizations. They need that knowledge not only to migrate to the cloud. It's also essential for companies to implement security controls once they've completed the move. Towards that end, Tripwire asked 18 experts how enterprises can securely migrate to the cloud and secure their cloud environments. Download this e-book to read their guidance and advice.
