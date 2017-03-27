I’m not comfortable with the large migration of business applications and security solutions to the cloud. It is clear that large cloud providers have excellent infrastructures - but I’m not comfortable yet.

Many firms are heavily investing in cloud security solutions. About three or four years ago there was a discussion about the use of cloud solutions to gain functionality that cannot be grown internally in a reasonable period of time. But, that was then. Now the move to the cloud for midsize firms appears to be rapidly underway.

Firms are deploying cloud or partial-cloud solutions for multiple IT solutions. This can create a new problem; what if one solution needs to access data within another solution’s cloud? For example: a Security Information and Event Management (SIEM) tool in a public cloud can collect data from multiple public clouds and analyze it.

SIEM solutions are deployed to track access to internal data systems by intruders.The logs within the SIEM collect forensic data that can be reviewed to see if there is a breach. The SIEM can also collect proactive information used to help prevent a breach. SIEMs require something like a fault-tree analysis to determine what log information should be correlated together. Having a SIEM in a public cloud I believe is unwise. It requires that the SIEM go through a public cloud to reach other applications that can be on other public clouds. It would be better to have the SIEM on the company’s private cloud which talks to applications on many public clouds.

Another example is the access control application. Access control applications manage who has access to different corporate applications. It is unlikely that a firm would want a critical access control system in the public cloud where it would then need to manage access to applications in other clouds. This would require a large amount of inter-cloud communications between public clouds. So, it wouldn’t be wise to put the access control system in the public cloud because of the need to interact with servers from multiple other public clouds. Many different firewall ports would need to be opened to enable communications between the public clouds leading to more attack surface to protect.

The need to have solutions that talk to applications within other clouds points to the need for a security architecture review each time a cloud-based solution is deployed. Adding a new cloud or cloud product could have a big impact on how current cloud applications interact with the new cloud applications. A cloud architecture review would enable the analysis of the impacts of a new cloud application.

Also, the need to have products that communicate between their cloud and other vendor’s clouds increases that security risks for the company. It opens up potential holes in the firewall from the vendor cloud that serves other companies. So a cloud breach for one vendor could open up a potential breach with other midsize companies that are sharing that same public cloud’s infrastructure. Public cloud to public cloud communication is something to be avoided.

In summary, a breach in midsize company’s public cloud could grow and impact multiple firms that rely on the same public cloud’s infrastructure. So, be careful when architecting your cloud solution and perform a cloud architecture assessment that enables you to see which applications are in what clouds. Then you can determine if there are any cloud-to-cloud communications that are necessary. Also, you may want something like a certification from the cloud vendor that indicates that your use of their public cloud infrastructure is safe.

