Membership
Join as an Organization
Enterprises
Solution Providers
Contact Us
Current Members
Initiatives & Partnerships
AI Safety Initiative
CxO Trust
Zero Trust Advancement Center
Trusted Cloud Providers
Trusted Cloud Consultant
Other Opportunities
Event Sponsorships
Join as Individual
Chapters
Circle Community Forum
Research Working Groups
Volunteer Opportunities
STAR Program
STAR Home
STAR Registry
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Certificates & Training
Online Platform
Knowledge Center
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Zero Trust Training (ZTT)
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Open Peer Reviews
Research Topics
Strategic Initiatives
AI Safety Initiative
Zero Trust Advancement Center
CxO Trust
Trusted Cloud Consultant
FinCloud Security
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Membership
Join as an Organization
Enterprises
Solution Providers
Contact Us
Current Members
Initiatives & Partnerships
AI Safety Initiative
CxO Trust
Zero Trust Advancement Center
Trusted Cloud Providers
Trusted Cloud Consultant
Other Opportunities
Event Sponsorships
Join as Individual
Chapters
Circle Community Forum
Research Working Groups
Volunteer Opportunities
STAR Program
STAR Home
STAR Registry
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Certificates & Training
Online Platform
Knowledge Center
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Zero Trust Training (ZTT)
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Open Peer Reviews
Research Topics
Strategic Initiatives
AI Safety Initiative
Zero Trust Advancement Center
CxO Trust
Trusted Cloud Consultant
FinCloud Security
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Cloud 101CircleEventsBlog
Register for CSA’s free Virtual Cloud Trust Summit to tackle enterprise challenges in cloud assurance.

Cloud Security Considerations

Home
Industry Insights
Cloud Security Considerations

Blog Article Published: 11/14/2011

Can a cloud be as secure as a traditional network? In a word, yes! I agree that some may find this statement surprising. Depending on the network, that may be a low bar, but good security principles and approaches are just as applicable to cloud environments as they are to traditional network environments. However, the key is to know how to extend a multi-layered defense into the cloud/virtualization layer.

One of the cloud security benefits frequently mentioned is standardization and hardening of VM images. This can help reduce complexity and ensure that all systems start from a good security posture. Also, it helps enable a rapid response to fix identified issues. Some people claim that complexity, or the diversity, of different systems in a traditional network environment is a security benefit because a single vulnerability is not capable of compromising all systems. However, the reality is it is usually more difficult to manage the disparate systems because of the tools and expert resources required to maintain them.

Hardening is not only for VMs. It has to be extended throughout the cloud environment to include the hypervisor, management interfaces, and all other virtual components, such as network devices. This requires some time and expertise in understanding how to control functionality without losing productivity. If you ask your service provider or internal team about hardening the virtualization layer and you get blank stares back, you may have a problem. Also, you should not accept the default statement that “the hypervisor is essentially a hardened O/S” as a complete answer. Securing the virtualization layer is one of the new and key areas to providing protection for cloud environments.

Strong authentication and authorization methods are critical to address, since this is an often neglected area in traditional networks. It is important to do it right. It is worth noting that the Verizon 2011 Data Breach Investigative Report cites “exploitation of default or guessable credentials” and “use of stolen login credentials” as some of the most used hacking attacks. Whether a private or public cloud environment, there needs to be a solid layer of protection from unauthorized access. Two-factor authentication is a must for remote and administrative access; it is a best practice to require two-factor authentication throughout the virtualized environment, wherever it is practicable.

Encryption should be utilized for both data in-transit, as well as data–at-rest. In addition to providing confidentiality and integrity, encryption plays a critical role in protecting data that is in environment where it may not be able to be destroyed by normal methods. Once encrypted data is no longer needed, the encryption key for that data set can be destroyed. However, this requires that the organization retain and manage the encryption keys and not the service provider.

Encryption is also being used in innovative ways to create an isolated environment within a cloud. This can be used to extend security and compliance controls from an organization’s traditional network into a cloud. This can help overcome barriers to cloud security by enabling enterprises to run selected applications and maintain data in the cloud with the same protection and control available internally.

Summary

Clouds, like a traditional network environments, require careful security planning, design, and operations. The various types our clouds and delivery models will have varying degrees of security and flexibility, some with the ability to layer in additional levels of security controls. This is why it is important to have a firm understanding of security and compliance requirements prior to moving to the cloud.

It is fortunate that good security practices are applicable to the cloud. However, the virtualization layer is a new area – one that requires specialized attention understanding and proficient when it comes to implementing security controls. Hardening, access control, and encryption are three primary areas of focus in building a multi-layered defense in cloud environments. Clouds can meet security and compliance requirements, but only if essential security practices are applied throughout them.

About the Author

Ken Biery is a principal security consultant with Terremark, Verizon’s IT services subsidiary, focused on providing governance, risk, and compliance counsel to enterprises moving to the cloud. With extensive knowledge in the area of cloud computing, he enables companies around the globe to securely migrate to the cloud and crate more efficient IT operations.

Share this content on your favorite social network today!

Latest from CSA
AI Summit at RSAC 2024
The State of AI and Security Survey Report
Data Resiliency Survey 2024
Trending This Week
#1 What is the Cloud Controls Matrix (CCM)?
#2 Zero Trust and AI: Better Together
#3 Test Accounts: Another Compliance Risk
#4 AI Safety vs. AI Security: Navigating the Commonality and Differences
#5 Is PQC Broken Already? Implications of the Successful Break of a NIST Finalist
Enhance your cloud security skills with CSA's online training options.