Cloud Security Journal

Cloud security is a top concern for chief security officers. In almost any enterprise, cloud migration is a given fact and recent attacks have proven, yet again, that data security is a critical component in any cloud migration strategy.

Below are four tips, specific to Infrastructure as a Service (IaaS) cloud security.

1. Migrate your data - own your security
   When moving to the cloud, companies have the natural tendency to look for security solutions from their cloud provider of choice. IaaS providers are very good at managing storage, computation resources, and virtual machines, but in most cases they can't provide data security solutions that are as secure as if you were to manage them yourself.

Keep in mind the shared responsibility model when planning a secure cloud migration, and verify carefully which tools are provided by your cloud provider, and which tools should be integrated by you.

In most IaaS clouds, your responsibility starts at your host VM level and goes all the way up to the application security level. Ensure you are in control of your security tools.

Let's take cloud encryption as an example: make sure your encryption keys are owned by your organization, not by the cloud provider. This is the only way you can prove your data is in compliance and safe from preying eyes.

2. Adopt cloud-friendly security tools - Get some CTO love
   Cloud security means many things to many people. The CTO in your organization is most likely heavily focused on making infrastructure cloud deployments as automated and seamless as possible.

Integrating traditional security tools like those you're used to using in your on-premise data center might prove to be very complicated to use in the cloud, and may thus eliminate many of the cloud automation advantages.

When possible, try to use tools specifically tailored to the cloud. Dome9 does a wonderful job providing an IaaS firewall, Incapsula provides a Web Application Firewall solution for such clouds, and Porticor provides an innovative key management and encryption solution for multiple IaaS clouds.

Leveraging such tools will ensure you get the most secure deployment while your IaaS cloud continues to use automation and orchestration tools.

3. 2015 is the year of "encrypt everything"
   From the attacks on Target and EBay to the most recent breach of Sony Pictures, attackers are targeting your organizational data. We said it before (for example here), encrypting your data should be a high priority for any organization.

Encryption is an obvious requirement if you deal with financial, medical and other regulated data, but almost any company today stores private information relating to its employees and such information should be encrypted at all times, and most certainly in infrastructure clouds.

The importance of encryption is not in its ability to identify or prevent an attack; there are other tools for that. The assumption is that some attacks will eventually succeed.  Encrypted data would render stolen data unusable, and therefore we believe more and more companies will adopt an "encrypt everything" approach as part of their cloud strategy.

4. Make sure your plan sticks for multiple clouds
   Last, validate your plan against multiple clouds. "Sandbox" a few private and public clouds and ask yourself if your strategy sticks. Can you use your firewall across all cloud deployments? Will you be able to leverage your current key management solution effectively in the cloud?

In many cases you'll realize that your current tools are not sufficient for a public or hybrid cloud deployment. This is a great exercise to run early in the decision making process, as budgeting for a new "security wardrobe" might be needed.