The role of the cloud provider in security
It plays a very important role. At the moment the cloud provider is responsible for security for the entire ‘as a Service’ layer they offer. From security in virtualisation in the case of IaaS services, to security in the software layer for PaaS services, or even encryption protocols in data transmission.
The security advantages of public clouds compared to on-premise data centres
As we have just discussed, there is a significant reduction in the effort to secure, as the tasks are performed by the provider itself, and therefore the likelihood of leaving something in one of the layers that can be attacked is reduced. On the other hand, cloud providers proactively update the versions of the elements and protocols to the most recent versions. This update is done transparently if it has no impact, or the organisation is given a deadline to update to the new versions, otherwise the provider discontinues it and it cannot be used. From my point of view, although this can be annoying, especially because sometimes these updates also involve having to update applications or servers, I think it helps organisations a lot to be ‘up to date’, and reduce the risk of attacks due to vulnerabilities.
The main risks for an organisation when using a public cloud and the importance of monitoring them
I think the first risk would be that the public cloud does not meet your expectations. Companies have to change their mindset and methodologies when they move to a public cloud. Usually a company that moves to a public cloud is to streamline processes and save costs, and if you don’t do that change exercise, it is very possible that the cloud will be less efficient and more costly. On the other hand, I would also say that another risk (which can be overcome over time) is the uncertainty that can be created by delegating your services, which you previously had locally and which were ‘tangible’ for you, to a provider that you do not know how and where they are hosted. This uncertainty could ultimately deter you from migrating to the public cloud, and thus undermine the benefits you would have from doing so.
How can an organisation ensure compliance in a public cloud?
The cloud itself already includes in the design phase of its services all the regulations in force in order to be certified in the commercialisation phase. Currently, practically all services consumed in the public cloud are certified with the corresponding ISO or with the ENS in the case of Spain. Likewise, if these regulations are updated, the cloud provider must update the services so that they can continue to be certified. This is another great advantage over on-premise, as we delegate the regulatory compliance of the infrastructure to the cloud provider.
How do you ensure data confidentiality in the public cloud?
The large hyperscalars offer confidentiality agreements, which already ensure this contractually. On a technical level, each customer is already offered their ‘space’ in isolation. If we want greater isolation, we can choose to host our services in dedicated infrastructure (by default it is shared with other clients, even if it is isolated), with the corresponding extra cost.
Types of tools or services offered by public clouds
In addition to all the basic services mentioned in the previous points, some clouds have more complete security suites that can range from a simple ‘firewall as a service’ to including granular access policies for third-party applications (SaaS) or a centralised antivirus management solution for your VMs or real-time scanning and analysis of vulnerabilities. An example of such a suite could be Defender for Cloud for Azure or AWS Security for the Amazon cloud.
We should also add as part of security, Identity and Access Management (IAM) suites in which we can apply conditional access policies, force a second authentication factor or block access by country to any user in the organisation. An example of such suites could be Oracle IAM for OCI, or Entra ID for Azure.
