For some strange reason, people assume a cloud adds security... not at all. A cloud hosted application or server is nothing more than a server that's accessible to the internet from some cloud solution. Period. Cloud does NOT add security.
So, now it gets interesting. Tell me anyone with even a modicum of security awareness that would place a web server in a data center without any additional protection?
Most people today understand it at least needs a firewall. Lets go deeper and this is a short list:
- Most would understand it should be a next generation firewall. It should be configured to best practices. Country blocking probably makes sense too.
- If it's a web application it should also include a WAF (Web Application Firewall).
- DDoS augmentation ought to make sense in most cases.
- Multi-factor authentication should be considered.
- Of course we would want extensive logging and alerting too.
- VPNs should be discussed, does the application really need to be exposed to the internet versus behind a VPN?
Lets get back to the earlier statement then. Placing a web server in a cloud offering (AWS, Azure, etc.) without all the appropriate data center standards for cyber security is outright recklessness. Anyone that does that and with sensitive data is opening the door to well justified litigation. Anyone that does that in a public company is laying the foundation for massive lawsuits. Private companies are likely to go under for that recklessness.
So, in case you didn't pick up on it. There isn't a lot of difference between security cloud based assets versus data center, that's my point. Cloud doesn't add security. If anything cloud entails additional security to make up for inherent weaknesses that can occur due to lack of logging and/or due to inability to control access more tightly when resources are shared with other entities.
Don't host a web server or application in the cloud for public access without additional protection!