When a company uses a public cloud, it faces the following questions: Who is responsible for infrastructure security in the public cloud? What tools do users have to control the cloud provider? How do they know if they can trust a service provider? The Network Computing portal has gathered some important answers.
The migration of digital infrastructure to the cloud has become a clear trend in the corporate sector in recent years. And the COVID-19 epidemic has accelerated this process. The range of users of public clouds now extends to government and business organizations of all sizes. However, this change has raised a number of security issues and concerns, ranging from its responsibilities to maintaining the integrity of customer data.
As a general rule, customers should develop a separate policy that addresses different aspects of cooperation with external cloud services. deals with and defines indicators of this relationship. At best, the customer has a clear idea of the security mechanisms that can be applied.
The opposite is also true when the customer expects the IaaS to receive the full spectrum of security services and only has to deal with problems on the go. to fight. Moving to the cloud, companies are mostly placed in a more organized environment than before, which also provides support for their more stringent security behavior. A less common approach is to build the information system from scratch with the modern and secure tools of the cloud provider, instead of outsourcing it completely.
Some cloud providers object because their business model is broken down into resources such as disks, cores and channels rather than services that the customer really needs. According to this narrative, it is not in the customer’s interest to know the ins and outs of the technical implementation of a cloud service as long as they receive the required functions quickly, smoothly and with an adequate level of security.
This type of situation concerns a small segment of cloud customers. mainly for small and medium-sized enterprises. In working with service providers, large organizations mainly adhere to the principle of giving us resources and using them for what we need.
As regards the impact of regulators on this market, all government supervision will eventually make the service more expensive. At the same time, some customers misinterpret rigid regulatory requirements and place excessive demands on service providers when they move to the cloud. In that case, the cloud service provider may also act as an intermediary in the dialogue between the customer and the regulatory authority.
Information security professionals must accept that some of their tasks and privileges will be the responsibility of the service provider after the switchover. Nevertheless, the organisation’s security department should focus on auditing based on standards and compliance checks set at the beginning of the audit.
As the company gains experience with the cloud infrastructure, it begins to ask more complex and meaningful questions to the service provider. Members of the information security team are increasingly interested in network security, protection of web resources, and the management tools offered by the service provider. It is also increasingly important for them how the cloud provider monitors security incidents, how it responds to virus attacks and how it informs customers about these incidents.
Continuity must be ensured, ie back-up procedures are needed, and To switch to another provider in Plan B.
The goals that the company wants to achieve by moving to the cloud must be defined. The criteria should be reconsidered and it should be clarified whether the chosen cloud provider meets them.
For security tools, a comprehensive approach should be followed and the tools selected in the given context should be selected.
The concept of security inversion is an important element in cloud evolution. The basic idea is that information security professionals should focus on the user, not the data center, as they used to. This situation seems reasonable because all information systems work at the service of people, but people are the weak links in the security loop. Inversion provides the basis for a multi-faceted approach to security that takes into account all aspects of an organization’s operations.
Distrust of a service provider is a problem like distrust of employees. The only way to reassure service users about the security of their infrastructure is to get an idea of how public cloud security works. During the verification process, the customer, with the assistance of his service provider, can verify that the service provider has implemented and complied with all necessary security procedures, including those setting out the rules for controlling contacts with companies and the work of administrators.
Meanwhile, the presence of various certificates and attestations is not necessarily a factor that increases trust in the service provider. Nevertheless, certification is not only a marketing tool but also an organization of the operation of the cloud service, so it undoubtedly plays a role in consolidating trust.
However, it is clear that no company is immune to insider threats. An effective way to prevent the leakage of sensitive data is to record, store and analyze events in the cloud provider’s information system.
The correct approach is to control computing power and data assets with a provider whose risks are standardized and reliable resources. are. Therefore, companies continue to cloud their infrastructure and work with service providers to find appropriate mechanisms to control and systematize interactions
One promising strategy is to involve insurance companies to cover customer risks. Insurers will be interested in a comprehensive assessment of the cloud service provider’s security system and can act as an independent auditor and guarantor between the two parties.
Hardware, software, tests, curiosities and colorful news from the IT world by clicking here!
