Public Cloud – 4 Subtle Differences with Significant Security Concerns

By Grant Asplund, Cloud Evangelist

Do you know what percentage of enterprises surveyed are either very concerned or extremely concerned about security in the cloud? Considering Gartner is predicting Infrastructure as a Service (IaaS) CAGR will approach 30% through 2022, you would think it’s not too high, right? I’ll share the answer with you a bit later.

When organizations move their workloads and datacenter functions into the public cloud, not only must they continue to apply and assert all of the same security and operational disciplines employed for their on-premise datacenter; there are new challenges introduced and new security concerns requiring new tools and disciplines in order to ensure the cloud is being used securely.

When I speak, I’ll often refer to the challenges we all experienced when virtualization initially began being adopted by enterprises. Remember inter-VM and intra-VM communications or vMotion? These new capabilities threw IT departments’ curve balls and forced the development of new tools to provide visibility and control. Well, as Yogi Berra famously said, “It’s like déjà vu all over again.” Only now, it’s worse. If you thought it was difficult to clearly see and know precisely what was happening between to vm’s on a server, just wait. In fact, the top two operational concerns of IT professionals, when moving to the public cloud, are compliance (34%) and visibility (33%) into infrastructure security.

In one of my presentations I use a metaphor to emphasize the subtleties and nuances between the cloud vs on premise. The slide has two pictures side by side. On the left is a photograph of a round, backyard, above ground swimming pool. On the right is a photo of a swimming hole at the bottom of a waterfall on a river. Yes, both are places to swim. Both are filled with water. But there are many subtle (and some not so subtle) nuances and differences between the two environments. One of the not so subtle being, you likely won’t have to check for things that will eat you, in the backyard pool. Another example is YOU fill the backyard pool and then maintain it. The watering hole is filled for you and is constantly being replenished with new, changing water. Remember the Shared Responsibility Model? IN and OF. You need to focus on what’s IN the public cloud, the cloud provider will take care OF the public cloud. Put another way, the watering hole will always be full…but, always changing…it’s up to you to understand it and know how to securely swim in (use) the environment.

When trying to maintain and ensure compliance in the cloud, it can be a challenge. There are many issues and concerns you’ll need to address when you move to the public cloud; far too many for this blog. I’ll touch on just a few…

Clear Understanding of Shared Responsibility – In and Of

Despite the fact just about every cloud presentation I see at conferences has a slide highlighting the confusion around the ‘shared responsibility’ model; I’m going to bring it up again. This time, in the context of compliance, the cloud providers are not going make sure what is IN their cloud (your stuff!) is compliant. This is on you. Sure, they keep their side of the bargain; the compliance OF the cloud environment they provide…but only OF them…not what’s IN them.

It’s Ephemeral! (sing to the melody of “It’s Electric” from the Electric-Slide era…)

This feature of the cloud can really play havoc with your compliance aspirations. Cloud environments are constantly expanding, contracting, moving and changing.  This makes accurately assessing the compliance and security posture of your workloads, at any given moment, nearly impossible.

Visibility…or the lack of it…can create many challenges. This is true for both on-premise and public cloud environments however, I would suggest it is exponentially more difficult maintaining and ensuring compliance when using public cloud. Earlier in this writing, I referred to the challenges we all experienced back when virtualization was first introduced. Things like communications between vms and vMotion presented new visibility challenges for IT departments. In the public cloud, these challenges have only been exacerbated. No longer are your workloads confined or limited to your on-premise datacenter. Now, they’re running anywhere and everywhere, literally. I think we all will agree, Visibility is the starting point for addressing and resolving virtually all security related issues and concerns, including compliance. If you can’t see it, you really can’t do anything about it…let alone, even be aware of it…no matter what IT is.

And certainly, another one of the things ‘it’ can be is sprawl. Unlike on-premise environments, in the public cloud, adding one server or two or three hundred, can happen in a matter of seconds. And, it can happen from anywhere! Additionally, new assets and entities can be torn down just as quickly as they are created. The problem is, without the proper visibility, you can never be sure if everything has been properly disconnected, unintegrated and completely removed and deleted from your environment.

The rigor and discipline required to ensure continuous compliance in the cloud and at the speed of cloud, can only be achieved with the help of tools and automation. The constantly changing, moving and ephemeral aspects of the cloud are what we all love about the cloud. However, the elastic and agile capabilities of on-demand computing have changed how companies deliver IT. Now, the security and compliance teams within enterprises need to change, too. The old tools and old ways of doing things just won’t work in the public cloud.

Oh, and in case you’re wondering, according to a 2019 Cloud Security Report from Cybersecurity Insiders and their 400,000 members, 75% of those surveyed said they were either very concerned (37%) or extremely concerned (38%) about cloud security. You can read the full report here.

Subscribe and listen to all my TalkingCloud podcasts here:

TalkingCloud is available in Apple Podcasts, Google Podcasts and Podbean at