Jump to section

What is different about cloud security

Copy URL

Cloud security is the protection of data, applications, and infrastructures involved in cloud services and cloud computing. Many aspects of security for cloud environments (whether it’s a public, private, or hybrid cloud) are the same as for any on-premise IT architecture.

Regardless of what cloud deployment you’re using, you’re responsible for securing your own space within that cloud. Using a cloud maintained by someone else doesn’t mean you can—or should—sit back and relax. Insufficient due diligence is a major cause of security failures. Cloud security is everyone’s responsibility, and that includes:

Using trusted software

What’s inside your cloud matters. As with any code you download from an external source, you need to know where the packages originally came from, who built them, and if there’s malicious code inside them. Obtain software from known, trusted sources and ensure that mechanisms are in place to provide and install updates in a timely way.

Understanding compliance

Personal, financial and other sensitive cloud data may be subject to strict compliance regulations. The laws vary depending on where (and with whom) you do business—for example, see the European Union’s General Data Protection Regulation (GDPR). Check your compliance requirements before choosing a cloud deployment.

Managing lifecycles

Cloud-native environments make it easy to spin up new instances—and it’s also easy to forget about the old ones. Neglected instances can become cloud zombies—active but unmonitored. These abandoned instances can become outdated quickly, which means no new security patches. Lifecycle management and governance policies can help.

Considering portability

Can you easily move your workloads to another cloud? Service-level agreements (SLA) should clearly define when and how the cloud provider returns the customer’s data or applications. Even if you don’t foresee moving things soon, it’s likely a future scenario. Prevent future lock-in concerns by considering portability now.

Continuous monitoring

Monitoring what’s going on in your workspaces can help you avoid—or at least inhibit the effect of—security breaches.

Choosing the right cloud provider

Hire and partner with qualified, trustworthy people who understand the complexities of cloud services and security. Sometimes, a public cloud’s infrastructure may be more secure than a particular organization’s private cloud, because the public cloud provider has a better informed and equipped security team.

Ok. Let’s talk about it. We could tell you all about the security differences between the 3 cloud deployments—public, private, and hybrid—but we know what you’re really wondering: "Are public clouds secure?" Well, it depends.

Public clouds—for example, Amazon Web Services (AWS), Microsoft Azure, and Google—are appropriately secure for many types of workloads, but aren’t right for everything, largely because they lack the isolation of private clouds. Public clouds support multitenancy, meaning you rent computing power (or storage space) from the cloud service provider's data center alongside other "tenants". Each tenant signs a service-level agreement (SLA) with the cloud provider that documents who’s responsible and liable for what. It’s a lot like leasing a physical space from a landlord. The landlord (cloud provider) promises to maintain the building (cloud infrastructure), hold the keys (access), and generally stay out of the tenant’s way (privacy). In return, the tenant promises not to do anything (e.g. run unsecured apps) that would corrupt the integrity of the building or bother other tenants. But you can’t choose your neighbors, and it’s possible to end up with a neighbor who lets in something harmful. While the cloud provider’s infrastructure security team is watching for unusual events, stealthy or aggressive threats—like malicious distributed denial-of-service (DDoS) attacks—can still negatively affect other tenants.

Fortunately, there are some industry-accepted security standards, regulations, and control frameworks like the Cloud Controls Matrix from the Cloud Security Alliance. You can also isolate yourself in a multi-tenant environment by deploying additional security tools (like encryption and DDoS mitigation techniques) that protect workloads from a compromised infrastructure. If that’s not enough, you can release cloud access security brokers to monitor activity and enforce security policies for low-risk enterprise functions. Though all this may not be sufficient for industries that operate under strict privacy, security, and compliance regulations.

DevSecOps is the combination of DevOps practices and security strategies as a means for organizations to increase IT security and reduce risk to their software environments. Cloud-native technologies such as Kubernetes, containers, microservices, and service meshes have become tremendously popular because they provide the building blocks necessary for organizations to build, deploy, and run cloud applications more dynamically, reliably, and at greater scale than was previously possible. 

The changes introduced by cloud-native technologies require organizations to evolve their security toward a DevSecOps model. This means security and engineering teams must work together to develop strategies that successfully help their organizations build and run modern, scalable applications, with shift left practices that incorporate security earlier in the software development life cycle and workflows that implement security as code.

Multiple icons forming a circle around a business man icon

Security decisions have much to do with risk tolerance and cost-benefit analysis. How could potential risks and benefits affect the overall health of your organization? What matters most? Not every workload demands the highest level of encryption and cybersecurity. Think about it like this: Locking your home keeps all your belongings relatively secure, but you might still lock your valuables in a safe. It’s good to have options.

That’s why more enterprises are turning to hybrid clouds, which give you the best of all the clouds. A hybrid cloud is a combination of 2 or more interconnected cloud environments—public or private.

Hybrid clouds let you choose where to place workloads and data based on compliance, audit, policy, or security requirements—protecting particularly sensitive workloads on a private cloud, while operating less-sensitive workloads in the public cloud. There are some unique hybrid cloud security challenges (like data migration, increased complexity, and a larger attack surface), but the presence of multiple environments can be one of the strongest defenses against security risks.

Learn about Red Hat’s approach to security and compliance

The referenced media source is missing and needs to be re-embedded.

Keep reading

Article

What is DevSecOps?

If you want to take full advantage of the agility and responsiveness of DevOps, IT security must play a role in the full life cycle of your apps.

Article

What is different about cloud security

High-level security concerns impact both traditional IT and cloud systems. Find out what's different.

Article

What is SOAR?

SOAR refers to 3 key software capabilities that security teams use: case and workflow management, task automation, and a centralized means of accessing, querying, and sharing threat intelligence.

More about security

Products

A security framework that manages user identities and helps keep communications private.

An enterprise-ready, Kubernetes-native container security solution that enables you to more securely build, deploy, and run cloud-native applications.

A predictive analytics service that helps identify and remediate security, performance, and availability threats to your Red Hat infrastructure.

A single console, with built-in security policies, for controlling Kubernetes clusters and applications.

Resources