A full 44.7% of the 164 IT professionals surveyed by CloudPassage identified perimeter defense/network control as their top cloud security concern; this was followed by multi-tenancy of infrastructure or applications (38.8%), achieving compliance with PCI or other standards (25.7%), provider access to guest services (24.3%), and enterprise security tools not working in the cloud (21.7%).
“One of the biggest obstacles to public cloud adoption has been that people understand that their current security approaches that are usually network-based or hypervisor-based…simply don’t work in the infrastructure-as-a-service environment”, Rand Wacker, vice president of product management at CloudPassage, told Infosecurity.
To the question, How do you secure your cloud servers today?, 31.2% responded that their cloud provider does it for them, 21.3% noted that they do it manually using a checklist, and 19.9% said they are not securing their cloud servers.
Regarding who in the organization is raising cloud security issues, a full 63.3% of respondents said it was their IT management, 27.3% said it was their chief security officer, 26.7% said executive management, 13.3% said customers and partners, 12% said the application development shop, and 7.3% said outside analysts and consultants.
One solution to cloud security is for customers to encrypt their data before it goes into the cloud. At some point, the data have to be decrypted so that the computing infrastructure can use it.
“That is where you would need your servers in the cloud that are crunching that data to be secure as well”, Wacker said. “You don’t want to go through all the effort to encrypt your data, manage your keys securely, and push that to the cloud, but then have servers you are renting in the cloud to be compromised and be the place where people are stealing that data”, he added.
CloudPassage focuses on the security of the servers that are running in the cloud. “Our architecture operates in the very constrained environment of the public cloud and gives you the ability to do all of the firewall and access control, vulnerability management, intrusion detection, and host integrity scanning that you could do as if your servers were running in a private data center”, Wacker related.
Cloud providers are clear that they are responsible for security up to the hypervisor; everything in the SOS is the responsibility of the cloud customer, Wacker said. “When it comes to regulatory compliance, that includes enforcing password changes, monitoring for files changes, and all these different things", this is the area where CloudPassage provides security. “We cover 93 of the PCI requirements and a huge swath of the other compliance regulations”, he added.