One of the classic myths that we #cybergeeks are still trying to put to bed is that resources put into a cloud data host are automatically safer. After all, cloud providers are responsible for maintaining the security controls around the data being hosted in their facilities, and therefore the clients' data are safer, right?
The actual answer is: "Definitely not!"
I often hear this myth from initial clients, but the truth of the matter is, that without: common sense security practices being applied by the users; proper configuration of the cloud host environment; the right skillsets for administering the cloud presence; and being served by a good cloud service provider (not all are decent, trust me!), then cloud services are just as vulnerable as hosting your data within your own local network, if not more so.
The reason for this vulnerability is the shared responsibility model of cloud services, where the responsibility for security is divided between the customer and the provider. Customers often overlook this, and poor assumptions are made about the security of their cloud-based resources.
The cloud service provider is responsible for the virtual and physical security of the cloud infrastructure. Or in more basic terms, the cloud provider is responsible for the security of the physical servers that they provide their customer with the areas to store their data and the security of the data transport to their servers from the customer's local network. And then that's where it stops.
The customer is responsible for their own data and ensuring that the data are appropriately encrypted. The customer has responsibility for the security of their workloads and any internal networks within their virtual 'private cloud' / cloud workspace. Even domains hosted within the cloud, as nearly all are, have some customer responsibilities around security configurations, e.g. mail-flow setup with DKIM and SPF.
The most important aspect for us to not forget is access control. This is not a new aspect to consider in the least, for local networks or virtual networks. The customer is responsible for locking down access rights to their own resources/software and data based on 'need to know/use'. The only difference between the virtual and local networks in this respect is the physical security of the data centre being handled by the provider in the former and by the customer's own site in the latter.
A grievous recent example of this is a misconfigured Amazon S3 bucket, as reported last week by NCSC. The misconfigured security settings left the bucket wide open and tens of thousands of personal data files were compromised. However, even that's not as bad as the 2017 incident, when similar issues caused records of 198 million American voters to be exposed. Unfortunately, these incidents and most others involving S3 are a result of poor configuration, not a hacker breaking in using sophisticated techniques.
This is where security groups come in. It’s incredibly important to really have a grasp on what a compute resource is talking to and why, so the proper security measures can be applied. So is the cloud really safe from hackers? It’s no safer than anything else, unless organisations make sure they’re taking security in their hands and understand where their responsibility begins and the cloud service provider’s ends.