Skip to content
11:11 Systems
Rethink Connected
11:11 Systems11:11 Systems
  • Why 11:11
    • Submenu
      • Column 1
        • Cloud Console
          Cloud Console
          Compliance
          Compliance

      • Column 2
        • Global Regions
          Cloud Regions
          Catalyst
          Planning and Assessment

      • WHY CHOOSE 11:11
      • Overview
      • Leadership
      • News & Media
      •  
      • Careers
      • Technology Partners
      • Customer Stories
  • Products & Services
    • Products & Services
      • CLOUD
      • Cloud Overview
      • Public Cloud
      • Private Cloud
      • Object Storage
      • Cloud Labs
      • Colocation/Bare-Metal
      • BACKUP
      • Backup Overview
      • Veeam Backup
      • Microsoft 365 Backup
      • Managed Backup for Cohesity
      • DISASTER RECOVERY
      • DRaaS Overview
      • DRaaS for Veeam
      • DRaaS for Zerto
      • DRaaS for Azure
      • Autopilot
      • SECURITY
      • Security Overview
      • Continuous Risk Scanning
      • Managed SIEM
      • Managed EDR
      • Managed Firewall
      • CONNECTIVITY
      • Connectivity Overview
      • SD-WAN
      • Multi-Cloud Connect
      • Managed IP
  • Solutions
    • Solutions Submenu
      • INDUSTRY
      • Education
      • Financial
      • Government
      • Healthcare
  • Partners
    • Partners Submenu
      • Overview
      • Become a Partner
      • Partner Portals
  • Resources
    • Resources Submenu
      • Events
      • Webinars
      • News & Media
      • White Papers
      • Podcast
      • Data Sheets
      • Customer Stories
      • Innovation Blog
  • Support
    • Support Submenu
      • Contact Support
      • Product Documentation
      • API Documentation
Search:
  • Console Login
  • Contact
Header Right Menu
Free Trial
  • Why 11:11
    • Cloud Console
    • Compliance
    • Cloud Regions
    • Planning and Assessment
    • WHY CHOOSE 11:11
    • Overview
    • Leadership
    • News & Media
    • Careers
    • Technology Partners
    • Customer Stories
    • Blog
  • Products & Services
    • CLOUD
    • Cloud Overview
    • Public Cloud
    • Private Cloud
    • Object Storage
    • Cloud Labs
    • Colocation/Bare-Metal
    • BACKUP
    • Backup Overview
    • Veeam Backup
    • Microsoft 365 Backup
    • Managed Backup for Cohesity
    • DISASTER RECOVERY
    • DRaaS Overview
    • DRaaS for Veeam
    • DRaaS for Zerto
    • DRaaS for Azure
    • Autopilot
    • SECURITY
    • Security Overview
    • Continuous Risk Scanning
    • Managed SIEM
    • Managed EDR
    • Managed Firewall
    • CLOUD CONNECTIVITY
    • Connectivity Overview
    • SD-WAN
    • Multi Cloud Connect
    • Managed IP
  • Solutions
    • INDUSTRY
    • Education
    • Financial
    • Government
    • Healthcare
    • Column 2
  • Partners
    • Overview
    • Become a Partner
    • Partner Portals
  • Resources
    • Events
    • Webinars
    • News & Media
    • Whitepapers
    • Podcast
    • Datasheets
    • Customer Stories
    • Innovation Blog
  • Support
    • Contact Support
    • Success Center
    • API Documentation
  • Contact
  • Console Login
  • Free Trial
Tags: Cloud Services
Author: 11:11 Systems
Date: May 3, 2018

Cloud Security: Getting the Balance Right

Cloud SecurityEditor’s Note: As of January 2022, iland is now 11:11 Systems, a managed infrastructure solutions provider at the forefront of cloud, connectivity, and security. As a legacy iland.com blog post, this article likely contains information that is no longer relevant. For the most up-to-date product information and resources, or if you have further questions, please refer to the 11:11 Systems Success Center or contact us directly.

In their report “CISO Playbook: How to Retain the Right Kinds of Control in the Cloud,”* Gartner addresses the need for security and risk management leaders to embrace a new mindset when moving to the cloud. In the playbook, Gartner highlights a number of recommendations across identity and access management, encryption, demonstrating governance and compliance and measuring cloud service provider SLAs. We’ll cover how 11:11 Systems helps customers address each of these areas in this blog.

With over a decade of experience helping customers adopt cloud computing across IaaS, DRaaS, and cloud backup use cases, we have witnessed the evolution of customer concerns about cloud security first-hand. In response, we’ve adapted our cloud platform and services to meet these everchanging customer priorities.

Who takes responsibility for cloud security?

IT teams are all too familiar with managing the resources that make up their IT infrastructures, from the buildings they are housed in, to the electricity and cooling supply, through to the server, and all the way down to the storage and networking infrastructure. Gartner makes the analogy that moving to the cloud is a bit like driving your own car on a journey as compared to being flown somewhere in a plane. You are relinquishing control of the maintenance and driving of the car to the flight crew of a plane. Whereas you might check the oil, tires, and windshield washer fluid on your car once in a blue moon, the plane will be checked rigorously every flight.

Much like the flight crew on a plane, 11:11 has included all the security features that on-premises environments have built up over time in our 11:11 Cloud Console. This includes best-of-breed edge firewalling, load balancing and VPN capabilities, as well as anti-virus/anti-malware, intrusion detection, vulnerability scanning, log inspection, file integrity monitoring, and suggested remediation for security issues.

Another observation Gartner makes in the report is that with the advent of distributed systems networking, we are no longer responsible for (or concerned with) the physical aspects of wide-area networking. We believe this is where the first concept of a “cloud” came from the field of networking. You are no longer concerned with how traffic gets from A to B from a physical networking and cabling perspective, you are just concerned about the fact that it does in a suitable period of time.

This idea extends nicely to cloud computing where you no longer have to worry about physical infrastructure lifecycles: servers, storage, local area networking, power, UPS, cooling, or rack space. You are just consuming resources.

This then brings us to the concepts of the shared responsibility model of cloud computing. Where is the demarcation line between different layers of cloud infrastructure? In the on-premises world, IT departments are responsible for the entire IT stack. In the “as a service” world, service providers become responsible for different aspects of the stack as you move from IaaS, to PaaS, and to SaaS – leaving the customers with SLAs covering the various service offerings.

Identity and Access Management

With the new shared responsibilities in the cloud, it is extremely important, as Gartner recommends in the report, to instill an effective Identity and Access Management (IAM) strategy. The 11:11 experience is that, in cloud environments, it is so easy for people to simply all log in as “root” or “administrator” and have access to all aspects of the platform. We’ve found that this can be dangerous for a number of reasons:

  • While everyone can create stuff, they can also change or delete it.
  • There is no real audit capability when everything is done by the same user name.
  • If the password falls into the wrong hands, bad things will happen.

It is fine if someone wants to do some short-term testing of a cloud platform and needs to be unhindered in their capabilities. However, it is far better (and safer) to start with a “least privilege” methodology. In this way, individual users are given just enough privileges or capabilities appropriate for their role. If they need additional capabilities, these can be added for a short time and then removed again unless it can be shown that they need to keep those additional privileges. Everything they do will be audited with their user name. Clearly, this strategy will apply to the different capabilities or functionalities provided by the cloud platform.

It is also important to apply the IAM strategy on the cloud platform and the applications and services that the cloud platform is presenting to the outside world. A simple example might be email.

  • The email server might be running within a virtual machine on the cloud platform. Its storage and networking might be administered by a cloud platform administrator with a particular set of permissions. Additionally, the email application might be accessed over the internet, so the edge firewall settings to allow access to the email application will also need to be administered.
  • The email application itself, running inside the virtual machine, will be managed using another set of permissions. This might also include a database.
  • At the highest level, users will be accessing the email server from their email client on a desktop or phone using their own credentials.

Encryption

Aside from identity and access management, the topic of encryption of data at rest and in transit is often seen as yet another way to secure, segregate, and isolate data on a public cloud platform. It is highly unlikely that anyone would be able to break into a public cloud data center and physically steal a disk drive containing your data, even if they could find the actual drives that your data resides on.

However, it is highly recommended to consider using encryption in the following areas:

  • Data at rest – is the storage encrypted at rest to mitigate against physical data theft?
  • If using virtual machines, can the virtual disks be encrypted? Who holds the private keys?
  • Encrypt data in transit between application and user at a minimum, perhaps using HTTPS/TLS.
  • Site-to-site VPNs should use strong encryption.
  • Consider the use of encryption in database applications.

Monitoring and Instrumentation

As discussed earlier, in addition to implementing a strong IAM strategy, it is equally important to enable logging for auditing purposes. Who did what to what and when?

In a global cloud strategy, the question of location can also come in. Particular users might only be allowed access to certain locations for data sovereignty control purposes.

Monitoring the cloud infrastructure is also important to ensure rapid alerting and diagnosing of issues, including:

  • Monitoring performance statistics within the VMs or PaaS applications running
  • Monitoring of network components, such as firewalls, routers, and load balancers
  • Logging of user logins, failed attempts, firewall issues, intrusion detection

To enable this, 11:11 has taken advantage of the rich APIs offered by our technology partners including, VMware, TrendMicro, Tenable, Zerto, and Veeam, to surface relevant monitoring information into the 11:11 Cloud Console, via a market-leading Cassandra database. Not only is real-time information available but data can be retrieved and viewed for up to a year. A higher-level API makes this information available to authenticated and authorized external users.

Adherence to Compliance Regulations:

Here at 11:11, we have always focused on delivering secure and compliant cloud services to our customers. In addition to providing all the security features that businesses have been used to in their on-premises environments, we have also led the way in terms of compliance and certification to relevant industry best practices and emerging standards.

Additionally, as customers continue to face an increasingly regulated environment, 11:11 has established an in-house certified compliance team to work with customers to provide documentation and expert compliance assistance to fulfill audit requirements across the US, EMEA, and APAC.

Contracts and Service Level Agreements (SLAs)

The final recommendation is around cloud service provider contracts and SLAs. As with any commercial agreement, there will be contracts, master service agreements, and the SLAs within them to understand and contract to.

Many CSPs, especially the hyperscale providers, can be extremely rigid with their SLAs and can be very inflexible when asked to change them. Where do they stand on different aspects of compliance? Are they able to share their certifications and attestations? How flexible are they with their SLAs on subjects such as availability? Will they pay out service credits if service is not available according to the SLA?

In a previous blog article, we’ve discussed how 11:11 delivers a 100 percent availability guarantee backed by service credits and how we use the features of a VMware-based cloud platform to achieve this with cloud-to-cloud DR for additional resiliency.

To summarize, with security risks and compliance regulations only increasing along with the adoption of cloud services, it’s important to understand shared responsibility with regard to cloud security. Striking the right balance between relinquishing and maintaining control in the cloud will enable your business to securely leverage the many benefits of cloud services.

*Gartner, “CISO Playbook: How to Retain the Right Kinds of Control in the Cloud,” Steve Riley, 21 March 2017.

Categories: IaaS, SecurityBy 11:11 SystemsMay 3, 2018
Tags: Cloud Services
11:11 Systems

Author: 11:11 Systems

Post navigation

PreviousPrevious post:DRaaS with Veeam – The Veeam NEA and Failing OverNextNext post:Make the Case to Add Disaster Recovery to Your IT Budget

Related Posts

Security
You Can’t Win: Learning to Live with Security Pessimism
March 13, 2023
Building a Championship-Caliber Data Security Strategy
February 15, 2023
Veeam 12
Veeam 12 Preview: Multi-Factor Authentication
February 7, 2023
Preparing for 2023 with 11:11 Systems: IT Trends in Security, Cloud, and More
February 1, 2023
What is 11:11 Systems?
What is 11:11 Systems? A company built on cloud, connectivity, and security
January 30, 2023
11:11 Systems Wins 2022 Backup and Disaster Recovery Award from Cloud Computing Magazine
January 25, 2023
PRODUCTS & SERVICES
  • Cloud
  • Backup
  • Disaster Recovery
  • Managed Security
  • Connectivity Solutions
  • Compliance
COMPANY
  • Why 11:11
  • Customer Stories
  • Careers
  • Leadership
  • Technology Partners
  • News & Media
  • Contact Support
CLOUD REGIONS
  • North America
  • EMEA
  • APAC
CONNECT
  • LinkedIn
  • Twitter
  • Facebook
  • Youtube

© 2023 11:11 Systems Inc., All Rights Reserved | Privacy Notice

Go to Top
PRIVACY POLICY AND COOKIE CONSENT
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
Manage options Manage services Manage vendors Read more about these purposes
View preferences
{title} {title} {title}
PRIVACY POLICY AND COOKIE CONSENT
To provide the best experiences, we use technologies like cookies to store and/or access device information that allows us to process data such as browsing behavior. Not consenting or withdrawing consent, may adversely affect certain features and functions. By clicking Accept, closing this message, or continuing to browse, you consent to these technologies and accept our Privacy Notice.
Functional Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
Manage options Manage services Manage vendors Read more about these purposes
View preferences
{title} {title} {title}