The Cloud as the New Data Center: What it Means for Security
If your organization stores, collects and processes data – so, really, every organization – you need a data center. And, of course, “A business typically relies heavily upon the applications, services and data contained within a data center, making it a focal point and critical asset for everyday operations.”
Traditionally, data centers were located on-premises at a company’s campus or at least remained under the control of the IT team and the organization. Now, the data and applications needed for business operations have moved to the cloud under the control of a third party. If the cloud has replaced the data center, does that mean organizations should shift their approach to security?
Has the Cloud Changed the Data Center?
Migrating to the cloud hasn’t changed the role of the data center. In fact, as John Bambenek, principal threat hunter at Netenrich, pointed out in an email comment, the cloud is just someone else’s computer.
“It’s still a data center,” Bambenek said. “It just means there is a much thinner perimeter around cloud assets than there would be if it was on-premises.”
On-premises data centers are under the control of an internal IT and security team. The cloud is not. So, even though they are similar in functionality, the cloud-as-data center model requires a higher level of attention to make sure shared responsibility between internal IT and security and external cloud providers doesn’t result in unintended and unexpected gaps in security coverage.
Traditionally, security controls were implemented and deployed in a data center as well, as apps lived there and were only being accessed using corporate-managed devices.
“This created a security perimeter that protected apps from both internal and external threats,” said Akhilesh Dhawan, senior director, product marketing at Lookout, in an email interview.
But as apps have moved to the cloud and the construct of the data center has changed, it has become easier for users to work remotely (there is no question that the cloud kept businesses running during the pandemic) and use their own devices. That means, said Dhawan, traditional architectures optimized for perimeter security are not relevant in the following ways:
• They require backhauling of all internet and/or SaaS-bound traffic. This increases the congestion on data center networks as well as affects end-user experience.
• Traditional appliance-based solutions do not offer flexible security controls that allow for the use of any device, making BYOD less secure for business operations.
• Security controls need to be closer to the apps (in the cloud) and closer to the users (on their endpoints) for effective enforcement and allow for complete end-to-end monitoring of all user sessions.
Rethinking Cloud Security
Readjusting security approaches for the cloud versus the traditional data center will take planning and budgeting.
“Every new technology or architecture requires some adaption of security to make work,” said Bambenek. “After all, it took years to get all the auditing and controls necessary into cloud infrastructure and yet organizations continue to struggle with shadow IT and its impact on data security.”
“At a very high level, the approach is the same; how do you protect confidentiality, availability and integrity?” Bambenek added. “The specifics, however, do change.” For example, AWS has outages from time to time. It can’t be prevented, but organizations need to learn ways to adapt so data stays secure.
The cloud will never completely replace the data center, but it will be continue to be more widely adopted. As that happens, organizations will be pushed to reconfigure their traditional security measures to a security plan that incorporates the shared use model of the cloud.
