5 critical factors to public cloud security

Does a ‘secure’ or ‘insecure’ public cloud exist?

For keen observers of the public cloud wars, there were many plot twists to Microsoft’s JEDI contract win in the US. We may not have seen the final chapter, but surely the biggest takeaway is that public cloud security is no longer an issue – or is it?

The US Department of Defence’s decision to award Microsoft its US$10bn JEDI (Joint Enterprise Defense Infrastructure) contract for cloud services has created a huge stir – but for all the wrong reasons!

The most recent headlines have all focused on AWS filing a legal challenge disputing the decision. However, they should be about how the JEDI deal is a real game changer for public cloud services.

When the JEDI contract first came up for tender, it was assumed that AWS was the only public cloud provider that had the appropriate security level and capabilities to win the contract. AWS was already providing cloud computing for the CIA including workloads up to Impact Level 6 (IL6), the security requirement for handling the “Secret” level of classified material on the cloud. However, by winning the contract, Microsoft was able to demonstrate that they too can provide this level of security.

The significance is that with the two biggest providers demonstrating their capabilities, there is no longer a security barrier for any organisation to adopt public cloud services. That’s particularly relevant for government or financial services organisations that might have a higher risk threshold than most.

That said, there is an important caveat: there is no such thing as ‘secure’ or ‘insecure’ public cloud.

Securing your public cloud solution

Security is determined by the whole solution that’s delivered based on the public cloud infrastructure, which was the reason why Microsoft was chosen over AWS.

At Interactive, these are the elements that are critical in determining the security of a public cloud solution:

1. Architecture

ensuring there is a logical separation of components and secure communication between these components, using encryption overlayed with a zoning model to define and separate different subjects and objects based on their security requirements.

2. Data Life Cycle Management

ensuring that at all times and at all points during the process the data you are using is secure. This encompasses data creation, storage, usage, sharing, archiving and disposal. It also includes protection against the risk of data leakage or misuse.

3. Perimeter Security

ensuring strong intrusion detection and protection systems (IDS/IPS) and advanced threat protection (ATP).

4. Secure Operations and Governance

working with secure operational processes, strong password management, and the least privilege principle including data masking where appropriate (limiting a user’s access rights to the bare minimum needed to perform the work).

5. Certification and Compliance

Adherence to best security and risk management practices as suggested by key organisations including ISO, NIST, HIPAA, FedRAMP and GDPR.

Security is always a top priority

Security is increasingly becoming top of mind for our customers due to the evolving threat landscape, increased compliance requirements plus the financial and reputational damage that a data breach can inflict.

Common feedback we receive from customers is that it is challenging to achieve very high levels of security for their own data centres or server infrastructure.

Nervousness around public cloud security is dissipating – and rightly so – but, at the risk of sounding too much like Yoda – ask not if public cloud is secure but instead ask if your public cloud solution is secure.

If you’d like to learn more about our cloud and managed services or how we help businesses secure their data talk to one of our experts today.