Businesses are going to the cloud for greater cost efficiencies, business agility, improved customer experiences, and more. But the network gets them there and helps them make the most of what the cloud offers with fast, uninterrupted, and well-designed connections. And that’s all only possible with both network security and cloud security.
Beyond-the-Perimeter Security Needs
Moving to cloud services means moving beyond the traditional on-premises perimeter of your network, which, in turn, requires a different way of thinking about security.
With on-prem network security, you deal with a distinct perimeter between the internet and your organization’s internal network. As such, your network security covers the usability and integrity of your company’s network and data at the center of an up to that perimeter. This is all part of your on-premises IT operations. It includes the activities, hardware and software technologies, and policies. It controls you implement to allow authorized users to access network resources while blocking malicious actors from carrying out exploits and threats.
But when workloads and users move beyond the on-prem perimeter, your standard on-prem perimeter protections don’t extend into the cloud. You must also rely on the cloud services provider (CSP) for security.
Cloud Security To-do’s
You still must control your company’s internal network, but the following can help give you peace of mind that the CSP have you covered and that your cloud environment is secure.
1. Understand the division of responsibilities between your company and the CSP.
The way it works at US Signal is that we protect the underlying infrastructure that powers our colocation offerings, data protection suite, network services, and cloud solutions. That includes the physical layer of the cloud — the compute, storage, and network subsystems, and the software (virtualization layer). It also includes operating and securing the data centers and network infrastructure.
As the customer, you are responsible for the security of your data, applications, operating system, and any equipment you own in the case of colocation services. This includes:
Limiting access to the root account
Encrypting data at rest and in transit
Managing and controlling your encryption keys
Abiding by US Signal security protocols at the data center(s)
Managing the data center access list for employees and vendors
Many customers layer on managed security services, such as vulnerability scanning and patch management, to meet specific requirements. US Signal handles security configuration tasks such as patching and firewall configuration in those cases.
2. Know what security processes, technologies, and policies the CSP has to maintain a secure cloud environment.
Is security covered in SLAs? How does the CSP handle incident responses? Has it ever had a breach? What kind of threat monitoring is in place? Don’t hesitate to ask questions to ensure you feel comfortable that the CSP is doing everything possible to offer a safe cloud environment.
3. Know your compliance requirements.
Many compliance requirements have to do with security. So CSPs, like US Signal, that maintain well-governed, high-quality IT infrastructure that meets the demands of a wide range of governing agencies usually have good security mechanisms in place. That’s especially the case for those that are HIPAA and PCI-compliant.
Ensuring the necessary security controls and documented processes are in place and regularly audited can help your company meet many of its compliance requirements. Keep in mind, however; your company is ultimately responsible for meeting its compliance requirements to make you understand what a CSP can do for you.
4. Implement and/or insist on cloud and network security best practices. That includes:
Deploying zero-trust networks. The zero-trust security model means no one and nothing is trusted by default, whether inside or outside of your network. Zero trust allows you to shift access control from the network perimeter to individual users and devices.
Restrict access from the internet to your cloud resources unless necessary. If you can’t avoid it, you can still limit access with network-level security in the cloud. This includes edge network security with DDoS protection, web application firewall (WAF) policy enforcement, identity-aware control access, and intelligent threat detection with real-time monitoring, logging, and alerting. Ask your CSP about managed security services that can help with this.
Secure connections between all of your environments. It’s critical to secure connections to all your environments – in the cloud, on-prem, or in a colocation facility - to keep your deployments as private as possible and reduce exposure to threats. You can avoid impacting critical workflows using private access options that let cloud-based or on-premises clients communicate and consume with supported APIs and services without an external IP address.
Use micro-segmentation. Regulate and manage communication between applications and services within your network. Micro-segmentation helps contain lateral movement with fine-grained security policies to control traffic precisely if an attacker infiltrates your network. You can also use micro-segmentation policies to isolate critical systems, strengthening regulatory compliance.
More Security Resources
To learn more about IT, cloud, and network security, take advantage of these resources: