How to get the most out of public cloud
Very few would dispute the notion that the public cloud, also known as infrastructure as a service (IaaS) platforms, have provided IT with a hugely powerful way to deploy services in a time- and cost-efficient manner. But the tremendous flexibility and power that public cloud provides has to be balanced against the need to configure services in a secure manner.
The challenges of managing in the cloud era are inextricably bound up with the positives. Public cloud platforms are growing between 200% and 300% depending on whether you talk to Google or Amazon. In 2017, AWS alone was responsible for almost $17.5bn in revenue, and Jeff Bezos has said that AWS could eventually be worth even more than Amazon’s enormous retail business. The target for Google Cloud Platform in 2018, is approximately $15bn.
But the assumption that using a cloud from one of the mega-providers such as Amazon, Microsoft or Google will inherently mean data is safeguarded is a common misconception that can be hugely damaging to data security. Today, with so many compromises having occurred in the public cloud there can be no excuses. It’s time for IT to get serious about cloud threats and to take control.
The public cloud configuration challenge in context
Of course, poorly managed public cloud is just one example of cloud security threats (despite quite common as shown by a recent study according to which 20% of public S3 buckets are
writable). The convenience and affordability of getting started on the cloud has meant that there has long been a gung-ho element about the way services are deployed. This is similar to what happens with ‘shadow IT’ where users bypass IT and procurement to download convenient services such as large file transfer utilities or tools for converting PDFs and other file formats. While undoubtedly useful, these services often have terms and conditions that can compromise enterprise data and lead to loss of data ownership.
Shadow IT has its equivalent on public cloud platforms where relatively tech-savvy users in parts of the business can spin up their own instances. But even where IT is involved, stories of poor configuration handling leading to security threats are legion and their fallout has affected many enterprises, including leading global brands. That aforementioned misunderstanding of the shared responsibility model is partly to blame but it’s clear that the user organisation needs to think long and hard about how they handle cloud configurations. These configuration issues can be many and various but they often include issues relating to access permissions, guessable folder structures, leaked credentials and access tokens, services being made public for testing and then forgotten about, and an absence of logging.
What’s needed is to keep the convenience of being able to spin up cloud instances without the risks of exposing data through configur