What cloud providers can and can’t do to protect your data

We all have at least part of our data in the cloud. Most of us still have servers located locally or perhaps in a local datacenter or in redundant regions throughout the world. Too often the processes that we used when our servers were local are the same processes we use in the cloud, but risks and responsibilities in the cloud are different.

If you’ve ever wondered what a datacenter is like and what protections your vendors perform to ensure that your data is safe, check out this virtual tour of a datacenter. The often-quoted phrase that the cloud is just someone else’s server is partially true, but the reality is that the cloud is more than just a server. It offers physical protection such as access controls and monitoring of who brings what into the datacenter. This level of physical security is often more than we provide for local storage. We can get away with less protection when we are located closer to the data, but our cloud vendors can’t do the same. Multiple customers share the same space and may have different risks and needs.

Local server security vs. datacenter security

My local servers do not have the same levels of backup generators or power grid redundancies that most datacenters consider to be standard. Case in point, the other day the local power company needed to do electrical work on the meter in our area that required us to turn off the power for the day. We turned off all the local computers and servers in the building because our battery backups and power supplies would not last the expected 12-hour down time.

It reminded me that cloud services allow us to still meet most of our needs even though our main office was offline. It no longer was a severe impact to our operations when the main office location was offline.

Cloud datacenters also monitor disk, memory, and other performance impact to your data storage. In addition, they ensure that physical storage is protected with encryption and other storage best practices. With cloud services you can purchase the appropriate, up-to-date resources that have more secure defaults to meet your data needs.

One thing cloud providers can’t do is ensure we have done everything necessary to protect our data in the cloud. You can easily put a database in the cloud, but if you don’t properly protect that database, all the datacenter’s security best practices go right out the window. A recent Censys study found more than 1.93 million exposed databases on cloud servers. Almost 60% of exposed servers were MySQL databases, for a total of 1.15 million databases out of the total 1.93 million exposed databases.

The shared responsibility model

Microsoft calls this the shared responsibility model. They can provide secure infrastructure, secure hardware, and the possibility of secure computing, but if you fail to follow the best practices in password security, security hygiene, and proper software security, the datacenter’s best practices will not protect you.

With this shared responsibility model in mind, the more you move away from on premises to software as a service (SaaS), the more the cloud vendor is responsible. If you have all your data in on-premises solutions, you are accountable and responsible for all aspects of security and operations. You are also responsible to ensure that data is classified correctly and to manage users and end-point devices.

With infrastructure-as-a-service (IaaS) solutions, buildings, servers, networking hardware, and the hypervisor are managed by the platform vendor. You have responsibility for securing and managing the operating system, network configuration, applications, identity, and data. Platform-as-a-service (PaaS) solutions move the responsibility to manage and secure network controls to the cloud vendor.

What you need to do for cloud security

Often with cloud offerings, the vendor provides the infrastructure but does not control the patching. Review your responsibility for servicing and maintenance. Review what options the vendor provides for automatic updating.

Microsoft, for example, is releasing more tools based on its cloud services to better control updating not only of cloud services but also remote workstations. As long as you have the appropriate license (E3 or higher), new Microsoft Graph APIs are now available in public preview that are powered by the Windows Update for Business deployment service. These allow IT professionals and app developers to approve and schedule specific feature updates to be delivered from Windows Update, stage deployments over a period of days or weeks using rich expressions, and bypass pre-configured Windows Update for Business policies to immediately deploy a security update across your organization.

Remote access is also a key weakness. Because we are so used to the familiarity of Remote Desktop Protocol (RDP), we often set up cloud services in the same way. That opens up RDP access without limiting access, using two-factor authentication, or better yet not using RDP at all to access cloud assets. Compromised RDP credentials are so widespread they are now being sold in the open marketplace.

Bottom line, just because your data is no longer physically in your immediate reach that doesn’t mean your responsibilities of its security is now with the vendor. Don’t set up the cloud with the same risks and vulnerabilities we open up with on-premises deployments.