Cloud security has become critically important as cloud computing itself as emerged as a foundational technology for the enterprise. Yet fully understanding the best strategies for cloud security is a true challenge. In this webcast, we'll address the following:
- Why is focusing on cloud-specific cybersecurity a mistake?
- What are the challenges in managed visibility on the cloud?
- What can be done to lessen human error in cloud security?
- How companies can build cloud formation templates that will keep the cloud secure, even as the infrastructure changes?
Download the podcast:
1) How Do You Define Cloud Security?(4:27)
“Well, so there's a couple layers to it. The providers themselves are responsible for the security of the underlying infrastructure. That's just an automatic presumption that that's their area of care. But it's about the data and processing that you do on top of that cloud and how you protect it.
“It's best to assume that you are responsible for all aspects of transporting that data into the cloud, the processing you do on it, the storage you do on it, and any transport back out of the cloud is upon you to secure those things. Different cloud providers have different levels of control and visibility into the settings that you can have on that. You can see a number of news articles are out there about researchers finding open Amazon S3 buckets...things of that sort.
“That's really ultimately on the individual organization that's putting that data into the cloud to secure that. And that's the key to understanding this is that it's no different than any other computer system. You're responsible for that transport security, the storage security of that on disc, and going with those assumptions in mind and look to what tools does a provider give you to more efficiently secure those things.
“The trick is, does your cloud provider have a contractual obligation to tell you about an incident in their infrastructure that doesn't involve a direct breach of your data? And chances are, they don't have a contractual obligation there. So to say that they haven't had a breach, well, what does that mean? Does that mean that there's never been an intruder in anywhere in their infrastructure, or does that mean that there's been no theft of specific data that then triggers that label of breach?
“I would say that, just given the sheer volume, the sheer size of these entities, there has to have been some intrusion at some point. It just didn't necessarily hit that threshold for calling it a breach and doing victim notifications. And these cloud providers do have a very strong incentive to maintain high security standards of their infrastructure. But also, frankly, to split hairs about when they do need and don't need to do a notification.
“Because it all comes out to reputation. If Amazon came out tomorrow and said they had a breach, and then let's say they did it out of an abundance of caution and they decided they wanted to be even more forthcoming than anyone else, all of their other competitors are gonna turn around and say, "Oh, you should come over to us because they had a breach." So there's some strange market incentives that could push a provider to split hairs on that. But overall, I see a strong commitment from all of them to secure their infrastructure.
2) Why is Focusing on Cloud-Specific Cybersecurity a Mistake? (2:35)
“Well, the reality is that most organizations are still hybrid. They're still going to be hybrid for some time, and that means they have some amount of data that's on-premise and is handled on premise. And they have a large amount and growing amount in the cloud, and that data flows oftentimes between those environments.
“So you have to know and understand both places. It's not like I can say, ‘Well, we're going to a cloud for strategy, and therefore, I don't have to worry about or focus anything on doing security for my legacy stuff.’ Those legacy things, which is what we tend to call them, they're gonna be around for quite a long time to come.
“And that's a huge opportunity loss because you're not stepping back to analyze the types of data you're processing, how you're securing them, and potentially re-architecting them to take advantage of what cloud provides to better process them, be more efficient, be more secure potentially. If all you do is just pick it up and move it, you're taking all of the past decisions, good and bad, on to the new thing.
“So that's why you see a lot of organizations that are going to cloud first, which simply means that, as a new project, as a new service offering is being contemplated, immediately look towards housing that in the cloud as the first place instead of building on-prem and then looking later to move it. And then through attrition or through well-thought-out migration plans, move old stuff to cloud in its new form.”
3) What About Managed Visibility in the Cloud? And Let’s Define Managed Visibility(2:27)
“Well, you need to know what exists in those [cloud] environments. If you think about how quickly you can spin up a resource in the cloud, it's a few clicks, and maybe a minute or two, five minutes later, that resource is available to you to start consuming. Now, when you do that, it's easy to lose track of what you've spun up. Because it's so easy to turn it up, it's easy for someone to forget to turn it down. "Oh, I was just testing on something." And things start to take on a life of their own out in those environments.
“And we saw that on-premise with virtualization for the longest time. In the old [chuckle] days, you'd buy a physical piece of hardware, you'd have to cut a purchase order for it, it had to be shipped, someone had to receive it, stick a barcode on it, type it into your asset management database, put it in a rack in a data center, all these steps that made it such that people could track it from the second it was ordered to the second it arrived and all of that.
“And then virtualization on-premise even, you started getting VM proliferation, which is so effortless to spin something up, and cloud honestly makes it almost even easier to do. And unlike in on-premise, where you still have a fixed amount of CPU and therefore you could over-subscribe things and start to notice that maybe we're building a bit of craft, in the cloud that just keeps expanding.
“It expands to fit the need. So you need to know what you have out there, how often it's actually being utilized. There's obviously cost benefits to being able to track those things, but from a security perspective, you're still responsible for patching those things that ride above the cloud infrastructure. So you still need to know they exist and what the current patch levels of them are.”
4) What Can be Done to Lessen the Factor of Human Error in Cloud Security?(1:40)
“So a lot of cloud infrastructure provides automation capabilities. Cloud formation templates, things of that sort. So you can really build out a template of what you wanna do and consistently, as you spin up a new resource, it's already built to your standard. That way, you just have a much easier time of it. Things like containers make it even easier, in theory.
“That's an interesting area where I see people fall into a trap. They think that containers are a solution to patch management or other problems because, hey, as soon as you tear it down and spin up a new container, it'll have whatever the latest and greatest of something is, and you're up and running. And that's how it was largely intended. Containers used to be a very ephemeral thing that gets spun up, gets spun down very quickly as demand requires.
“The reality I see a lot of organizations doing is they spin them up almost like a regular VM and they may last for hours, days, or months. So some of those potential benefits of working through containers aren't necessarily realized.”
5) How Can Building Cloud Formation Templates Help Cloud Security? And What’s Your View on the Future of Cloud Security? (3:37)
“Templating is everything, right? So that comes back to human failure. As long as you have a consistent configuration, you're going to be in a better state and then that also allows you to shift between different providers. If you've done it right and you can export those templates out, you can move between different providers and still have the same base configurations to work from.
“[In terms of future developments] We're seeing more ability to do data encryption at rest. Really, things like that, it's becoming easier and easier to do. I think we're seeing the providers start to bake in a lot more features for security, but then doing it almost like a health check option somewhere within their management UI to say, ‘Hey, you could be more secure if you enabled these features.’ So guiding people through it.
“So the first couple of iterations have been around adding the features in, predominantly based on demand, and then the cloud provider saying, ‘Well, these other features need to be added regardless of demand.’ And then now it's the realization that, "Well, people may or may not know that those features exist or why they need to enable them, so we have to have a means of identifying it for them." And that was that first part of health check. And now, it's more to the, "Hey, we really need to prod them and walk them through enabling those features." And it's just going to be continuous improvement on that to get people to a more and more secure state by default with any of these configurations.
“There are certain things you can't just turn on like some of the data at rest encryption, there are certain aspects of that that... Or a good example would actually be raw-level encryption in a database. You have to build your program to actually take advantage of those things, but you have to know that the feature exists and you have to be prompted to make use of it. And I think the providers are all doing better jobs now of rolling out the feature. Now it's into that prompt the user, ‘Hey, this is available to you. You should be using it.’”