The prospect of a migration from IT infrastructure to the cloud is becoming increasingly attractive for many companies and organizations. The main benefits to be expected for them are cost savings, flexibility and time savings.
Many companies have also realized that switching to the cloud can help them increase the visibility and efficiency of their security.
The prospect of a migration from IT infrastructure to the cloud is becoming increasingly attractive for many companies and organizations. The main benefits for them are the cost savings, flexibility and time savings that allow them to focus on the services and applications that are important to their customers.
Many have also realized that moving to the cloud can help them increase the visibility and effectiveness of their security. Thus, while the benefits of moving to the cloud are obvious, there are certain issues that must be addressed in order to do so effectively and safely.
For example when and who is responsible for security at each level of intervention?
Security must be the number one priority
Security must be the top priority of all cloud providers worthy of the name. However, the latter offer offers with different degrees of security, so it is important to understand when everyone’s responsibility comes into play. In terms of security, software-as-a-service (SaaS) solution providers thus support the majority of responsibilities, while Platform-as-a-Service (PaaS) solution providers have a smaller share of responsibility, while Infrastructure as a Service (IaaS) solution providers offer a shared responsibility model. In terms of physical security, cloud providers are responsible for managing gatekeepers, fences, access controls, intruder alarms, and CCTV cameras in their data centers that they must design and operate according to strict guidelines. The virtual security of the thousands of servers, switches, load balancers, and virtual machines in these data centers is another area of responsibility for the cloud provider.
The experienced customer will require that his cloud provider provides proof of his obtaining certifications and accreditations, testifying to the security of his offer. These certifications and accreditations are awarded by third-party auditors who verify that the security implemented corresponds to the standards imposed by highly regulated organizations such as governments, health or finance.
Thus, the most extensive and respected certification is named ISO-27001. Developed by the International Organization for Standardization, ISO-27001 is recognized by companies around the world. Cloud infrastructure providers should also undergo audits by the Official Control Service 1, 2 and 3 (SOC 1, 2, 3) to ensure compliance with their internal policies. Certification of the security technology infrastructure of a cloud provider by auditors allows CISOs (Information System Security Managers) to better evaluate cloud computing offerings. Customers should also inquire about certifications and accreditations applicable to their industry. For example, the payment card industry must comply with the PCI DSS Level 1 security standard.
Your privatized space in the cloud
Some vendors, such as Amazon Web Services, also offer customers the opportunity to benefit from an isolated space in the cloud, what we call a Virtual Private Cloud. In this case, customers have complete control over their virtual network environment and thus have the ability to choose their IP address series, create subnets, configure routing tables and network gateways, and can also define the associated firewall rules.
This service is used by companies who want to be able to use the cloud as an extension of their existing data centers while enjoying the flexibility and low cost of cloud services. Basically, there is nothing inconsistent about providing on-demand infrastructure while providing an isolated and secure space for businesses that are used to using an on-site or colocation environment already in place.
In fact, one company that benefits from this technology is Schneider Electric, a global specialist in energy management. Schneider Electric offers products, services, and solutions in areas of electrical distribution, industrial automation, secure energy or building automation. The company uses the cloud as a real accelerator of growth, by its efficiency and reliability. Of the 15 applications currently running on AWS, Schneider Electric has deployed a corporate social network, named SPICE, based on TIBCO TIBBR technology. This solution has been migrated to Amazon VPC to ensure better network and application performance. The corporate social network enables the 90,000 Schneider Electric employees who have an account to benefit from a global collaborative social network in a privatized and secure environment. Employees share good practices with the goal of collaborating internally more effectively. This means that many ongoing projects are discussed on this platform and that the information exchanged is therefore not intended to be made public.
Thus, the use of Amazon VPC allows Schneider Electric to benefit from an isolated and secure space in the cloud while providing their users with an optimal browsing experience in the United States, Europe or Asia. Pacific, with direct connectivity to Amazon’s infrastructure and end-to-end network acceleration. Shared security responsibilities While the cloud can offer a higher level of physical and virtual security than most companies can not afford in their own premises, it must also be stressed that security as a whole is a shared responsibility between the customer and the cloud provider. In fact, cloud service providers can be very secure, however, if a client launches an insecure or vulnerable application in the cloud, it may compromise its project. Conversely, if a client runs a very secure application in a poorly secured cloud environment, it incurs the same risk.
The goal of this shared responsibility is to provide customers with the flexibility and control necessary to enable them to deploy applications that meet their needs. As a matter of fact, most businesses can not afford the luxury of dedicated resources to physical or virtual security. A good cloud service provider must be able to invest heavily in technologies, procedures, and security personnel. As such, cloud security is achievable on a large scale, and we look forward to seeing companies continue to innovate in their IT practices for the benefit of their business in a secure, highly available, low-cost technology environment.