As far as cybersecurity technology goes, absolutely nothing is new or different about cloud security.
Cloud security is based on precisely the same fundamental technology you should already be using in your in-house operation.
The only difference is that you are turning over control, and thus visibility, of some of the operation to a cloud provider. The details of where you surrender control and visibility depend on your combination of cloud services.
There are, however, a few non-technical differences.
The first, and most obvious to most would-be cloud customers, is that loss of control and visibility. Security audits require you to prove that certain things are being done in certain ways. A cloud provider may offer to show you the results of their internal SAS 70 audit. But as I pointed out before, the SAS 70 was designed by and for accountants. It just shows that the provider follows their own procedures carefully, it does not suggest that their procedures provide any level of cybersecurity.
Would-be cloud customers complain about cloud provider opacity. The providers are in business to make money, and they are reacting (slowly) to the market desires.
However, the difficulty of mutual auditability in a cloud setting is no surprise to most people. What about less obvious concerns?
Reputation fate-sharing is an interesting one. That is, interesting if it happens to someone else. Potentially catastrophic when it happens to you.
On November 30, 2010, Wikileaks migrated some of its services to the US-East-1 region of AWS after facing an intense DDoS attack hammering its servers at 10 Gbps. Effects of the attack migrated with the Wikileaks mirrors, causing a degradation of service to servers already in the same Availability Zone(s). Amazon quickly booted Wikileaks off their cloud, saying it was because of Wikileaks’ violation of the AWS terms of service and not because of any request from the U.S. Government.
However, for a day or so in early December, some customers of AWS were all too aware of how operating in the Internet is like living in a trailer park where an enormous meth lab can appear next door at any moment.
Spammers have also found refuge in the cloud, leading Spamhaus to block large ranges of AWS EC2 IP address space.
It could be far worse. In March and April, 2009, the FBI raided at least two data centers in Texas, prompted by complaints from AT&T and Verizon about unpaid bills owed by some customers of those data centers. At one data center, the FBI seized about 220 servers plus network gear. (and, for some reason, even the power strips!)
See the Wired article for details. I don’t doubt that some of the disrupted businesses were criminal ventures. But some innocent businesses were victims caught up in the seizure.
If you think it’s hard to audit a potential cloud provider, just imagine how little you will ever really know about their other customers!
Learning Tree’s Cloud Security Essentials course discusses the difficulty of auditing in a cloud environment, and the impossibility of ensuring availability.