Cloud technologies evolve rapidly, offering cloud-based alternatives to almost any known service and product. The recent 2018 Oracle and KPMG Cloud Threat Report states that 87 percent of organizations report having a cloud-first orientation. And Gartner predicts that through 2020, public cloud infrastructure-as-a-service (IaaS) services will have to deal with 60 percent fewer security incidents than applications running in traditional data centers. At the same time, customers will be responsible for up to 95 percent of all cloud security failures.
So how can you ensure security and compliance in the cloud? Isn’t it easier to accomplish this task on-premises? In this article, we focus on the main challenges of building a secure and compliant application in the cloud.
Security challenges in the cloud
When building a cloud-based application, you need to pay special attention to:
- Data and network security
- Identity and access management
- Vulnerability assessments
Let’s take a closer look at each of these problems.
Data and network security
One of the major concerns of any cloud service provider is the security of their data and network. In contrast to on-premise solutions, with cloud solutions enterprise data is stored on the side of the SaaS vendor. So it’s the cloud solution provider’s task to ensure a high level of data security in the cloud and prevent possible breaches.
Encrypting data in transition and at rest is one of the best ways to protect it. For instance, it’s a common practice to secure network traffic with SSL/TLS encryption.
Identity and access management
It’s crucial to ensure a high level of identity and granular access management. This usually involves using tools like firewalls, intrusion detection and prevention systems, multi-factor authentication, and logs. By deploying these tools, you can significantly decrease the risk of data breaches. You also need to ensure data segregation in order to prevent unauthorized access to data by different tenants.
The main advantage of using the data center capabilities of big vendors such as Microsoft Azure or Amazon Web Services is that most dedicated cloud providers offer additional cloud security services that can help you ensure the needed level of both perimeter and environmental security. In the case of a self-hosted SaaS deployment, however, you’re the one responsible for building these services.
Performing regular penetration testing and software updates is a must if you want to ensure an appropriate level of cloud data security. The good news is that in contrast to on-premise solutions, you won’t have to worry about some of your users ignoring necessary updates since all systems can be automatically patched by your admins.
Backing up all sensitive enterprise data on a regular basis is also important. By doing so, you can guarantee relatively quick recovery in case of an incident. Data backups should be performed automatically and continuously. It’s preferable to protect backup data with strong encryption schemes for preventing accidental data leaks.
Also, make sure you have a well-documented and tested restore procedure so you won’t have to deal with devastating data loss due to incomplete or unusable backups.
Ensuring compliance in the cloud
When building a cloud solution, you need to comply with a number of rules from industry standards to local laws and regulations. And complying with these can be just as challenging as securing your application properly. Below, we list several factors that require special attention.
If you aren’t building your entire system from scratch, you need to choose the right infrastructure vendor. When picking one, it’s crucial to think about what standards and regulations are vital for you now and what standards you may need to comply with in future. Otherwise, you risk wasting extra time and money when switching to a different vendor because of compliance issues.
The list of standards you need to comply with depends on several factors, including the services you’re offering, your target industry, and the geographical location of both your business and your customers. ISO/IEC 27001 is one of the most widely recognized international standards for information security compliance. There are also four specific standards for cloud computing security: ISO/IEC 27017, ISO/IEC 27002, ISO/IEC 27018, and ISO/IEC 27036-4.
Other common security standards are SOC 1/SSAE and 16/ISAE 3402, SOC 2, NIST, and CIS. Depending on the industry you’re working in, you may need to comply with such standards as HIPAA (for healthcare organizations and those working with them), PCI DSS (for organizations storing, possessing, or transmitting credit card data). And of course let’s not forget about GDPR for organizations that store and process personal data of EU residents.
Tips on writing GDPR compliant applications
Why do people still choose on-premise solutions over cloud solutions?
While storing and processing data in the cloud is efficient and secure, there are several factors that can make people choose on-premise solutions instead of cloud solutions.
- Laws and regulations — Certain countries and regions restrict the use of cloud services for storing sensitive data.
- Latency — While being easily controllable within a private data center and across a private network, latency becomes a serious issue in the cloud.
- Visibility and accessibility — Cloud users can’t have physical access and even know for sure where exactly their data is stored. Also, there may be certain problems with the accessibility of cloud resources due to bandwidth limitations.
- Incomplete data deletion — Since cloud service providers keep several copies of each piece of data, there’s a chance that a backup copy will remain somewhere in the cloud even after the main file is deleted.
- Delineating responsibilities — While shared responsibility is one of the main benefits of the cloud, it’s not always clear where the cloud service provider’s role ends and the obligations of the customer begins, which can create critical security gaps and lead to potential breaches. This is why it’s so important to create a quality service-level agreement that clarifies the responsibilities of each party and leaves nothing assumed.
Keep all these factors in mind and try to address as many of them as possible in order to increase the competitiveness of your product.
When building a cloud-based solution, you need to ensure the same level of security and compliance as for an on-premise solution. And even though you can work with a bigger cloud provider that offers additional security services and complies with the standards you need, there are still many factors you need to pay closer attention to.
By adopting the above-mentioned strategies, you can increase the security of your solution and boost your customers’ confidence in its safety. At Apriorit, we have a team of experts and professionals who will gladly help you accomplish this challenging task.