Can customers in the cloud attack each other? Can cloud users control their own data? Will cloud providers disclose your content?
Worldpay’s DevOps lead, Miroslav Danov, answered all three questions at Computing’s Enterprise Security and Risk Management 2015 today.
Danov began by making a general point about security: it doesn’t matter what rules you follow, the risks are the same.
“It doesn’t matter if you’re located in your country’s private data centre or in any other data centre – it doesn’t matter where they’re located,” said Danov, adding that application attacks can come from anywhere.
“The vast majority of threats against servers target applications – HTTP, TCP or SSL/TSL – all these layers are dependent on application attack.”
When it comes to customers “in the same cloud” attacking one another, Danov was clear: it’s a myth that customers in the same cloud can attack each other.
“Actually, multi-tenant systems offer security benefits over single-tenant,” he said.
“First, they ensure their security patches are always up to date [unlike single-tenant clouds],” he said, adding that users can assign their own levels of encryption. Danov cited AWS as a provider that allows personally defined security protocol.
Myth number two: “I’m in control of my data without the cloud.”
“You’re the one who decides what provisions [are put in place],” said Danov.
“Most cloud providers have multiple regions – for example, Amazon has regions in Ireland and Germany. Each of them is divided into availability zones based around physical location. You decide where to store the data,” he continued.
“Cloud customers can also decide when or where to terminate SSL connections, or in the cloud you can have the same virtual box that will do the same job.”
A final myth: Do cloud providers disclose content?
“Cloud providers don’t disclose any content unless required to do it. If they do it, they’ll inform you of it,” concluded Danov.