The adoption and move to a cloud platform in and of itself is not something particularly relevant or new to security concerns. Co-location of compute resources to third party ISPs or even internal hosting of sensitive information is nothing new. The cloud paradigm shift is merely meant to leverage compute density, flexibility and elasticity to maximize on CAPEX returns. Security concerns remain the same and do not necessarily indicate that your cost on the security front will drop as well. On the contrary it will likely stay the same or even temporarily increase with the procurement of new talent for securing emerging technologies, and then drop off again as older tech is decommissioned.
As has always been the case, security best-practices apply. These requires the same keen eye and experience with the technologies in use to implement a viable solution.
When it comes to sensitive data security, many factors should be considered, be they cloud hosted or on a standalone physical instance. I would put forth the follow for your consideration:
- What data are you pushing into your environment? Personal Information like SSN, Credit Card and financial data, or perhaps patient health records?
- Who has access to your systems, and how (physical/remote)?
- What are your ingress/egress points for data flows?
- Are you performing sufficient monitoring and alerting for unauthorized data transfer?
- Have you tested and secured any publicly accessible portals from breach?
- Do you perform ongoing host or file-level integrity monitoring and alerting?
- Where do you perform encryption? Just over the wire, or also at the boot and flat-file storage locations as well?
- Does a single user-authentication break-the-glass or do you only perform decryption as needed?
The nice thing about moving to the cloud is that your options for answering all of these questions become more robust and varied. Security implemented at the virtual level is more simplistic in that more often the best solution can be utilized more easily because of your increased flexibility. No longer do you necessarily need to purchase a hardware firewall (or two) to place between you and the outside world. The same technology can be virtually deployed and integrated with little to no additional physical overhead.
As with any environment, cloud or not, you need to take into consideration who ultimately is responsible for storing your data. When hosting with a public provider, several security layers are often overlooked. Trust in your provider is obviously key, however not to the point of apathy. Due diligence to ensure that data in your care is given the proper vicissitudes through the course of changing technologies will ultimately color your success or demise.