Ariel Dan

As a cloud security vendor, we often get questioned about public cloud security and how secure is the public cloud. To answer this question I’d like to start by defining what “public cloud” means before we’ll focus on the cloud security question: (public) cloud computing is the delivery of computing as a service rather than a product, and is usually categorized into three service models: software as a service (SaaS), infrastructure as a services (IaaS) and platform as a Service (PaaS). When it comes to public cloud security, all leading cloud providers are investing significant efforts and resources in securing and certifying their datacenters.



Therefore the leading public cloud providers themselves are  highly secured (and have the certifications to back it up). But if we’ll further dive in and review the security risks in your own account within your public cloud provider of choice, you’ll find a dramatically different situation. Your cloud account security (specifically in IaaS/PaaS implementations) is under your responsibility, and neglecting to implement security mechanisms will render your environment insecure.

So is the public cloud secured? Yes it is. Is your account within that cloud secured? No. Not unless you have secured your virtual servers and virtual storage.

So what can be done? I’d like to start by stating the obvious: Securing virtual servers and storage is not dramatically different from securing a physical server and the same basic rules still apply.  Enforcing, for example, a strong access control policy, disabling unnecessary ports, and hardening the application layer are still valid and necessary actions when it comes to securing your virtual environment. In addition to traditional threats, new cloud-threats should be considered as part of your security strategy. Shared compute resources, the insider threat and cloud hijacking are all new risks associated with the cloud, and as a result, creating and maintain an encryption policy and encrypting critical data becomes a must-have in the cloud.

But cloud encryption can be tricky. Unlike traditional “old days” encryption techniques, managing your keys in the cloud can be challenging unless a new approach to cloud key management is adopted. We at Porticor have decided to take a different approach to cloud encryption and have recreated key management for the cloud. Our key management system, which we often allude to as the Swiss banker approach, enables you to securely maintain your keys in the cloud, while not compromising the security of your keys and your data. For further reading, please refer to our key management white paper.

To conclude; cloud security should include a blend of traditional security elements combined with “cloud-adjusted” security technologies. Encryption should be a key part of your cloud security strategy due to the new cloud threat vectors (but also due to regulations such as the Patriot Act), but you should pay specific attention to key management.