A plethora of cybersecurity breaches at both public and private sector entities over the past few months shows not only how far the industry has to go to shore up its defenses, but how much more sophisticated attackers have become, and how much more sophisticated they will likely get.
Many businesses have now concluded–-correctly, most experts believe–-that cloud computing offers a greater level of security than on-premises data centers managed by the businesses themselves. After all, cybersecurity is not core to what most companies do (and even those who live by the mantra that “every company is a technology company” didn’t sign up for the arduous, tedious and thankless work of securing data); even having the right tools and technology isn’t enough given that great talent is in such short supply.
Cloud providers can generally provide a greater level of security because security is (or should be) their business, and because chances are that they employ the best talent for this purpose. Yet not all clouds are created equal, and businesses should look closely under the hood to see what those differences are.
Businesses should consider the following six characteristics of any cloud provider to determine whether they have the right security stuff to help ensure their data remains safe and ahead of the cyber threat curve:
Data Point No. 1: Design Principles
Many cloud vendors offer only a portion of a complete computing and storage stack, which is why, in many cases, they cannot guarantee the security of their customers’ systems. Infrastructure-only providers don’t have–and thus can’t control-the platforms or application layers used by their customers.
Others only provide platforms and applications but don’t control the infrastructure.
Customers should look for providers who control all aspects of the cloud: infrastructure, platforms, as well as application layers. They should also look for providers who have proven that security isn’t an afterthought, but part of their fundamental design philosophy.
Applications, platform and infrastructure should all be designed with security and functionality in mind, in equal measure. One specific design principle to look for is that of isolation. Most providers allow customer data and the control code used to manage the cloud to exist in the same server–which is a prime opportunity for bad actors to pose as customers and then use malicious software to manipulate the cloud’s control code.
Look for vendors using next-generation cloud infrastructure, in which the control code is isolated from customer data, so that no customer data can ever affect the control code.
“Customers should consider working with cloud providers who have security as the most important design element, period, not just a high priority or an add-on but as the top priority above everything else,” said Wim Coekaerts, Senior Vice President of Software Development at Oracle. “Autonomous capabilities are a requirement to address proactive and reactive handling of cloud and cybersecurity issues.”
Data Point No. 2: Patching
Unpatched software is the root cause of many, if not most, big cybersecurity breaches. Thus, applying security fixes in a timely manner is fundamental to overall security. Yet in complex systems, applying security fixes takes time and often requires systems to be taken offline for hours at a time–hardly ideal for any business that relies on processing transactions in a timely manner.
It’s also important that those security fixes be applied without the end user being aware of it happening or suffering material downtime. Autonomous patching can apply software updates and security fixes as soon as they are available, without need for system shutdowns.
Data Point No. 3: Configuration
Cloud users often leave themselves exposed to potential hacks by leaving server ports open when doing so is not optimal. Or they leave computing or storage resources running even though they are no longer needed or in use. Bad guys can gain entry via these fallow resources and then more easily penetrate critical, running systems.
A modern cloud provider that can help spot unused-but-still-operating computing resources and proactively shut them down, which can dramatically lessen the attack surface that hackers can attack, helping customers maintain a more secure stance.
Cloud providers should also help ensure that the permissions on data access are secure by default by enforcing a rule that documents in object storage are never publicly accessible, and should automatically detect if certain permissions have changed which could potentially expose a system or data, and send alerts whenever that is the case.
Data Point No. 4: Encryption
In addition, cloud providers that mandate that encryption is on by default both for primary and back up databases make it harder for bad guys to steal usable information.
Data Point No. 5: Emerging Technology
Thus far, machine learning and artificial intelligence are not deployed broadly to help cloud providers with early detection of malicious code and unusual patterns and activities that threaten customer data.
That is changing in the face of the cybersecurity hacking onslaught. But it’s important to remember that the best cloud provider needs more than top flight AI expertise. The optimal provider needs both a deep knowledge of what large business workflows look like, as well as the ability to use AI to spot possibly malignant activity before it gets painful.
Data Point No. 6: Summing it Up
A provider that can offer a solid one-two punch of historical enterprise experience and modern technology expertise is a winning proposition for customers looking for a highly secure cloud to entrust with their key business data and workloads.
Business customers should look for a cloud provider that will act as a full partner, not a passive participant who takes customers’ money in exchange for access to a raft of cloud servers. Likewise, cloud providers need to see themselves as full partners with customers when it comes to deploying and securing those all-important business workloads.
Michael Hickins is a former eWEEK and Wall Street Journal editor and reporter who now works at Oracle. This report is special to eWEEK.