Which fits best in a cloud architecture: public cloud or private cloud? Your decision could rest on how each option’s cloud security architecture works. Cloud security architecture helps decision makers choose what data is suitable for which type of cloud platform and ensures the organization can maintain visibility and control over the data.
In this second post in our cloud security architecture mini-series, we talked to TierPoint’s Tyler Reese, Cybersecurity Architect, to learn about the differences between private and public cloud security architecture and how to keep data safe in a public cloud. Read the first post in the series to dive deeper into what you need to know about cloud security architecture.
Private cloud or public cloud security architecture?
Interviewer: How do private and public cloud security architecture differ?
Tyler: There’s a large difference between private cloud and public cloud security architecture. Common security controls used internally on-premises or in a private cloud do not translate directly to public cloud Infrastructure as a Service (IaaS) platforms. There is no like-to-like comparison; they are separate domains of cybersecurity expertise.
To better understand the difference between private and public cloud security architecture, you may want to read about how private cloud architecture works compared to others.
Another factor is that many public cloud providers don't provide detailed control and compliancy information about their internal environments. IaaS security policies for public clouds, such as Azure and AWS, are highly abstracted so you don’t know what's going on under the hood of a hyperscale public cloud. That said, TierPoint partners with public cloud platforms, and our cloud security experts work closely with our customers to select the types of data suitable to store in public clouds and to provide the visibility and control required by cloud security architecture.
In comparison, a private cloud is an IaaS-hosted pool of resources that I find is more familiar to IT professionals. So, while a public cloud makes sense for deploying applications globally, a private cloud from TierPoint might be more appropriate for business applications that don’t need require global distribution.
The most important factor in the decision-making process for where to put data — in a private cloud or public cloud — is what type of data is best suited for each type of cloud computing environment. Private clouds offer fine-tuned security controls. That additional level of control and the security tools available for private cloud computing can help a business reach and maintain a specific regulatory or compliance mandate or a desired security posture.
Public cloud security architecture
Interviewer: Let’s dive into public cloud security. What are the biggest threats to resources in a public cloud, and how can a business mitigate them?
Tyler: Two of the biggest threats when using public cloud infrastructure are a lack of visibility into a cloud app and the theft of data — that is, an exploit against a service or a breach of data. A misconfiguration of a storage bucket, say on AWS, is a common problem. So, everyone involved in your organization’s use of a public cloud platform needs to understand their roles and responsibilities for cloud security, which requires coming up to speed on the security policies and protections applicable to that public cloud platform. Every public cloud platform is different.
You’ll need a deep understanding of the security controls provided by that public cloud platform to be able to implement cloud security successfully. Through 2023, something like 99% of public cloud security failures will be the customer’s fault. That’s because public cloud security models are not familiar to many IT security experts, and public cloud providers put the sole responsibility for data security and access control on their customers. That’s why many public cloud customers engage the expertise of a managed security services provider (MSSP) like TierPoint.
Some threats in the public cloud can be mitigated with identity and access management controls. If you don't have a cloud access security broker (CASB) or a trust boundary that can sample intelligently and give you a viewpoint into what's happening in your public cloud environment, then you're missing out on a lot of visibility.
Interviewer: What are some tools used in public cloud security architectures to provide cyberattack protection?
Tyler: A valuable tool for the whole organization, not just security, is what’s called a CASB or cloud access security broker. A CASB has three components: an agent on endpoint devices, cloud-native API integration, and an appliance that brokers access between the Internet and applications. A CASB provides essential visibility into the data traversing the network and the identities of all users who configure the cloud platform or access the data as a consumer. With a CASB your company knows about incidents and can correct missteps.
Other cloud security tools are multi-factor authentication (MFA), which controls access into privileged roles, and role-based access controls. The use of roles and the delegation of functional areas ensures that a compromised credential of a senior administrator does not create an attack vector that can compromise multiple areas.
A third security tool is a robust vulnerability detection and remediation program that is adopted throughout the organization. Such a program ensures that issues identified in quarterly audits move through the life cycle of vulnerability detection and remediation — and get resolved.
Hybrid and multicloud security architecture
Interviewer: Do the cloud security principles you’ve talked about for public cloud computing also apply to multicloud and hybrid cloud infrastructure?
Tyler: The fundamental principles translate. With hybrid and multicloud security architecture, it’s important to strive for a unified security posture and unified approach across all of environments — which requires understanding the different abilities and tools of each of them—while providing centralized management across all of the service providers.
A new term on the market is SASE (pronounced sassy), or secure access service edge, where a single service vendor delivers secure access for every one of your environments. SASE be applied when and where needed in very different environments, which greatly simplifies access management control, especially in a hybrid cloud environment. TierPoint partners with Fortinet, a security fabric platform that provides complete readiness for our customers to embrace SASE.
More on cloud security architecture
In the next part of this cloud security Q&A series, we’ll look more closely at private cloud security architecture and share a tip for sourcing vetted IT security equipment. Interested in learning more about security? Read our Strategic Guide to IT Security.
It can be daunting to undertake a cloud security architecture with the resources in your own organization. TierPoint is a managed security services provider (MSSP) and cloud service provider (CSP). Reach out to us to discuss how we can help you.