Many companies think they can leverage their existing security mechanisms in the Cloud, however, it is an entirely different aspect and must be looked from a different perspective with privacy in mind.
Before migrating to a cloud, or starting a cloud setup of infrastructure, traditionally, companies set-up a datacenter with the hardware being physical, and separating databases from servers. In this environment, the hardware is not being shared with others, and in theory, you only have access to the hardware equipment. This physical separation and physical security is not complete in itself but does offer a layer of protection that is
otherwise missing in the cloud.
Moving to the cloud, you do not own anything, and everything is shared. This is due to the cloud provider (Another Company) owning the hardware & Networking infrastructure and is being shared by other organizations too. It is hard to map a 1:1 relationship between physical resources (CPU Cores, Storage Drives, Network Interfaces, Virtualization, etc..). This also means that it is possible your data resides on the same physical media to another cloud customer that could be investigated by a government agency, and if they request a copy of that physical drive, your sensitive data suddenly becomes part of collateral damage without knowing it.
As long as you are renting it, there is always an administrator who always has access to all resources just to ensure that everything is up and running, especially when you move to Platform As A Service (PaaS) models, where the service provider own not just the physical or virtualized hardware but also the operating system hosting them. So even if the Cloud Provider has no interest in your data, a rogue employee from the cloud team, can ruin your company via data leaks.
A cloud setup, to a hacker attacking it, gets handled in a very similar approach & techniques as a normal physical server, therefore, from an offensive security perspective, it depends on the way the company will set up their security measures on the cloud. And a small mistake can lead to a total compromise of that cloud infrastructure.
These are just a few of the reasons why it is critical to have very strong data encryption in the Cloud. Choosing the location for the server based on the laws of data access by the government & compliance requirements also make it illegal to operate in the cloud without adequate
protection for your sensitive data.
Become a Patron!
