7 Tips for Staying Secure in the Cloud

“The popularity and demonstrated security competence of cloud service providers doesn’t absolve security leaders of their responsibility to actively manage cloud security,” says Steve Riley, research director at Gartner. “Security in the cloud is a shared responsibility.”

Regardless of the type of cloud model, identity and access management (IAM) and data security are always customer responsibilities.

Gartner expects that by 2018, the 60% of enterprises that implement appropriate cloud visibility and control tools will experience one-third fewer security failures.

Follow these seven recommendations to develop effective security strategies for existing and planned utilization of public clouds.

1. Incorporate appropriate IAM: Incorporate appropriate IAM from the outset, ideally based on roles, especially for administration duties. Customers, not the provider, are responsible for defining who can do what within their subscription.
2. Isolate data at rest with encryption: Providers have a vested interest in maintaining strong isolation between routine maintenance procedures and customer data, and between the customers themselves. Encryption is a useful tool for creating logical isolation from other data center tenants, for enforcing classification policies and for ensuring digital shredding at end of life.
3. Segment and contain traffic with virtual network and filtering controls: For IaaS, segment and contain network traffic using the provider’s virtual network and filtering controls as a minimum. Subnets within virtual private clouds can declare whether instances have Internet, virtual private network (VPN) or no external access at all. Network access control lists also define permitted and blocked inbound and outbound traffic.
4. Establish a security control plane: Use third party-tools to establish a security control plane to achieve better visibility, data security, threat protection and compliance, as well as to automate security configurations.
5. Take full responsibility for application and instance security: Providers take no responsibility for the security of application code that customers develop and run in clouds. Use static and dynamic testing tools to identify and remove application vulnerabilities. For cloud-based workloads, consider using cloud-based testing tools.
6. Backup all data in a distinct fault domain: To spread risk most effectively, back up all data in a fault domain distinct from where it resides in production. Some cloud providers offer backup capabilities as an extra cost option, but it isn't a substitute for proper backups. Customers, not cloud providers, are responsible for determining appropriate replication strategies, as well as maintaining backups.
7. Investigate potential of being "compliant by inclusion": Many larger providers routinely undergo various compliance audits, which serve as signals to customers indicating the seriousness with which providers regard security. Leverage the benefit of being "compliant by inclusion" by incorporating the provider’s published attestations into your own.