Security in the public cloud is built on the shared responsibility model. The cloud provider manages the infrastructure, including the network, data storage, system resources, data centers, physical security, and supporting hardware and software. Public clouds are solely responsible for configuring and managing the security of their cloud. They manage the security of the cloud, and the customer is responsible for the security in the cloud.
What about security in a hybrid cloud environment? How does it differ from security in the public cloud?
According to a recent study of information security professionals, lack of visibility into infrastructure security is the biggest cloud management challenge. Per the latest 2018 Cloud Security Report based on a survey conducted of 400,000 Information Security professionals on LinkedIn, the top three security control challenges for security operating centers (SOCs) are:
- Visibility into infrastructure security (43%)
- Compliance (38%)
- Setting consistent security policies across cloud and on-premises environments (35%)
Existing security solutions are not designed to support dynamic cloud infrastructure that can quickly change. One of the cloud challenges is a lack of specific cloud security knowledge across the organization. This knowledge gap makes it even more challenging to develop enterprise-wide guidelines and best practices with detailed technical recommendations. Complex cloud architectures make it difficult to identify known issues immediately and perform the necessary remediation actions quickly. Since using a hybrid cloud means that your data is available in various locations, you need to use encryption and fine-grained access controls across the hybrid cloud infrastructure.
With compliance requirements like GDPR, PCI DSS, and soon to be California Consumer Privacy Act (CCPA), laws are enforcing compliance across all the clouds, which is a challenge that is best addressed ahead of time. The increasingly mobile, rapidly digitizing, world of data is transforming all aspects of information and leading to new policies and regulations to support data privacy. And it is not just about the CCPA. While the CCPA has significantly raised the bar for the protection of personal data, the proposed replacement, the California Privacy Rights and Enforcement Act of 2020 (CPREA), adds a whole host of new protections.
Many U.S. states have already introduced CCPA-like legislation, or will do so shortly, and others are expected to introduce legislation that addresses issues such as biometrics, the Internet of Things (IoT), and the use of consumer credit reports. You need to positively ensure that both your public cloud and private cloud are compliant, as well as the interaction between the two.
Regardless of which compliance regulation will be put in place, we recommend IT take extra care about what data they restore from their backup. Private information or personally identifiable information (PII) that was deleted by request could get brought back to life, putting a company quickly out of compliance.
Key aspects of ensuring a trusted cloud-native platform are ensuring all data have an owner, and this ownership should be aligned to the company’s IAM (Identity Access Management) policies. This must include how the data (at rest and in transit) is secured and accessed according to the organization’s framework for managing user access.
ASG can help you with a security audit, pen test or security assessment profiles. Contact us for details.