Maybe you are scared to deploy your applications on public cloud, because you think it is less secure. You rather want everything on-premise, because you think you don’t have to think so much about security. You are wrong. Most attacks will happen on other levels (e.g. Application Level), and whether your application is running on on-premise infrastructure or in the cloud, it doesn’t really matter. Nevertheless, cloud providers provide a comprehensive set of tools to protect your sensitive data. Let’s have an overview.
Protecting data is a priority for every company, whether it’s internal data or (highly) confidential information. Having personal identifiable information makes privacy regulations and procedures kick in. What can we do to protect our sensitive data?
In Europe we have the Data Protection Directive, which has been implemented by all the EU countries. In practice this means that there is free movement of data within European countries. The directive states that “personal data can only be transferred to countries outside the EU and the EEA when an adequate level of protection is guaranteed”. Luckily, most of the public cloud companies have data centers within the EU, so pure legally speaking, we’re safe there.
How can you verify physical security of a data center? Companies often go and do assessments themselves, but most companies lack the knowledge to properly assess physical security. You can go to a datacenter, watch all the lights on the servers blink, but it’s probably not going to give you any useful information. We should therefore rely on the assessments those companies have gone through. Amazon AWS for instance is ISO 27001 certified, DSS and PCI Level 1 compliant. They undergo a yearly SOC 1 audit and have been successfully evaluated at the Moderate level for Federal government systems as well as DIACAP Level 2 for DoD systems (Amazon Security information).
I’ll use Amazon AWS again as an example, because they have to most comprehensive security implementations. Data on Amazon is stored in S3 and EBS. Both support encryption. They even go a step further. If you want to manage your own keys, just to make the keys are revealed to nobody, you can do so. You can supply your own key for every object in S3 you write. To make it easier, you can also use Amazon’s Key Management Service. These features are so hard to implement in your own non-cloud environment, that most of the companies don’t even implement them.
All data in transit can be encrypted, and most of it within will be encrypted by default. Make sure that your application is using HTTPS to communicate with other services or users. You will need to know how data is exchanged in your application. If you application is not accessed through the internet, you should disable internet access in your subnet and work through a VPN. There are also options to have a physical link to Amazon, called Direct Connect.
Good security measurements happen in layers. Just protecting your data on infrastructure level is not enough. You’ll need to ensure that you have security measurements in place on application level, on authentication, authorization. You will need proper procedures when laying off personnel, and so on. A good place to start is CISSP.