Gartner: Don't trust cloud providers to protect corporate data

It is impossible for a family with children to buy a safe child seat from a car manufacturer when buying a new car, because it is a professional device that needs to be protected by the most sensitive assets in the family. Pescatore, a vice president and security analyst at Gartner, believes that cloud security can also be thought of in the same logic: users should not rely on the security capabilities of cloud services to protect their vital data.

Sensitive information (customer data, mission-critical applications, production-level information) requires special protection, and many situations require its own security controls to provide full protection. "When companies want to migrate to cloud mode, there are some things you can rely on cloud providers, but the infrastructure provided by cloud providers is scarce for critical business data and regulatory control information." Pescatore at a web conference on Gartner's motherboard.

Pescatore points out that while security remains the primary concern for companies in deploying cloud strategies, there are ways to mitigate these concerns. One key, he says, is the need to design security clauses that specifically protect cloud applications, data, or workloads. A notable example is credit card information. The payment Card Industry (PCI) certification requires that any customer's credit card data be stored electronically and encrypted. Some cloud service providers provide cryptographic services in their cloud storage offerings, but customers can also buy third-party apps tailored to their cloud deployments to provide cryptographic services, DDoS defenses, and access control. Many of these services are delivered in cloud format.

The market has a lot of cloud security products, and many functions. Manufacturers such as Zscaler, Websense or Cisco's ScanSafe are creating a "portal" between users and cloud providers to monitor what data flows into the cloud to ensure that malicious data or malicious applications do not penetrate the user's system. If the cloud is hosted by a Web site, there are also web protection services such as Imperva, CloudFlare, and services from Akamai.

Pescatore that, overall, cloud security is still in the early stage. Many big businesses start their cloud journey with private or internal clouds, a good starting point for security controls. His advice was, "first make sure that the private cloud is secure, and then extend it to a mixed cloud and a public cloud." "The need for system visibility, change control, and vulnerability protection is essential because the process of protecting virtualized environments from external attacks is important." This includes securing architecture choreography, preconfigured new accounts, domain names, and virtual machines.

Migrations to private clouds are often incorporated into public cloud services. In many cases, the enterprise will apply some non-critical tasks to the public cloud, such as testing, development, or capacity expansion. So, not everything needs to be secured at the highest level. "Protects sensitive data and places less sensitive data in the local cloud," he called the process a data partition.

Pescatore says the focus on cloud security should be on the process of protecting the cloud. Create policies for cloud security and then ensure that these policies are enforced and implemented throughout the cloud deployment. Security vulnerabilities can occur as long as there is a policy inconsistency or no enforcement of security controls. "We have so far not seen new attacks that attempt to compromise the cloud infrastructure or virtualization layer," he said. "Today's reality is that hackers are more likely to make money by attacking businesses that use cloud services," he said. ”

The good news is that customers have a lot of choices. Cloud providers (whether IaaS or SaaS) have their own security features for lower-level security requirements. Amazon Web services are compliant with FISMA, while another cloud service provider Firehost is compliant with PCI. Pescatore says users should at least see if their cloud service provider complies with ISO 27001, SOC 2 or SOC 3 certification. In addition, there are a number of third-party security products to choose from, especially for sensitive information. (Wave Compilation)

(Responsible editor: The good of the Legacy)