Security in public cloud — how times have changed

One of the most significant changes around public sector ICT in recent years has been the attitude to public cloud from a security perspective. One only has to go back a few years for the prevailing mindset to have been that public cloud could never be considered secure enough for public sector workloads. Considerations around UK data sovereignty took precedence and the generally accepted wisdom was that if you wanted security, then you had to do it yourself in your own data centre.

How times have changed.

Now, there seems to be a generally held view that the investments that the hyperscale public cloud providers are able to make around security makes it almost impossible for other providers, including those in-house, to keep up.

This article will outline the benefits of public cloud from a security viewpoint.

The most significant of these is scale, which applies in three ways.

Firstly, the scale of AWS, Microsoft and Google allows them to invest in security in a way that smaller companies are not able to, spending vast sums of money on securing their own data centres, platforms and connectivity.

Secondly, the breadth of the customer base of the hyperscale public cloud providers also means that they all have customers who are highly demanding in security terms — banks and other fin tech companies, the military, content owners such as media companies, healthcare providers and so on. These customers place significant demands on the public cloud providers, forcing them to behave in certain ways with respect to security. But all customers, large and small and irrespective of their particular security requirements, gain the benefits of what the providers have to do to meet the requirements of the most demanding.

Thirdly, having a large number of customers in one space, albeit a geographically distributed space, allows the public cloud providers to use machine learning and other artificial intelligence techniques to spot and predict attacks, including detecting new types of attacks as they emerge, much more quickly than smaller providers would be able to. Because of this, public cloud providers are able to take what they learn about an emerging attack in one geographic region and apply it to other regions in advance of the attack actually happening there.

It is worth remembering that both AWS and Microsoft provide what they call a shared responsibility model. That means that they accept responsibility for the security ‘of the cloud’. Their customers, and managed service providers by extension, are responsible for security ‘in the cloud’.

The three scale-related security considerations above apply mainly to the former, i.e. they enhance the ability of the hyperscale public cloud providers to ensure that they are able to deliver the security ‘of the cloud’.

On the latter, security ‘in the cloud’, it is up to customers and managed service providers, to ensure that whatever services are deployed to that secure cloud adopt best security practice.

However, even here scale comes into play. Because of the large number of customers making use of the cloud providers, two things happen.

Firstly, a significant body of shared ‘good practice’ builds up, meaning that not every customer has to learn everything for themselves.

Secondly, both public cloud providers and the marketplace of third-party vendors that grow up around them, are able to develop and offer a highly-featured set of security-related tooling.

If we think about good information security practice, which is captured in the three facets of the ‘CIA’ model — confidentiality (ensuring that only people who are allowed to access information are able to do so), integrity (ensuring that information is not tampered with or otherwise compromised while it is being stored), and availability (ensuring that information is available when it should be) the public cloud providers are able to offer a wide range of tooling to support these different facets.

For confidentiality, the hyperscale public cloud providers offer very rich identity and access management tooling, coupled with role-based access control models and an array of encryption services covering both data at rest and in transit.

For integrity, they offer advanced log-monitoring, and a vast array of native and third-party tooling that can apply machine learning techniques to that data to spot unusual access patters and behaviour. They also increasingly offer a web application firewalling (WAF) capability.

For availability, they provide the inherent resilience of the underlying infrastructure fabric, significant levels of replication built into their data storage and other offers, as well as content distribution networks to ensure that data is delivered to consumers as rapidly as possible.

Taken together, these features provide a wealth of security-related features, one that continues to evolve at an accelerating pace, that other providers struggle to keep up with.