The Evolution of Cloud Security Then Now & to Come
This is the audio-only version of our cyber security talk show, teissTalk.
- Key phases, use cases and requirements for cloud security
- What cloud security meant in the past; how we are defining cloud security today; and what we believe cloud security will mean for us in the future.
- What’s the best way of developing a consistent organization view of cloud risks to make well-informed decisions about vendors and services?
John Opala, Vice President of IT Security, McCormick & Company
Edd Hardy, Senior Vice President Cyber Security, AlixPartners
Dr Erdal Ozkaya, Regional Chief Information Security Officer, Standard Chartered Bank
Paul Baird, Chief Technology Security Officer, UK, Qualys
This episode is hosted by Jenny Radcliffe
Listen to the Podcast Here
For more info:
THE EVOLUTION OF CLOUD SECURITY
What is cloud computing?
According to NIST 800-145 definition, the cloud main characteristics is being on demand service, broad network access, resource pooling, rapid elasticity and measured service. Does this definition help us as security professionals? As you can see the driving factor for cloud was mainly productivity, availability and resiliency which is perfectly fine, but the security is missed in this equation.
The problem is once you move to the cloud and start consuming services, it become an endless project. The migration or extension to cloud services will add more tools, computers, servers, applications to your current IT portfolio. In other words, a totally new open surface of attack or a new network perimeter that you need to secure.
Introducing the cloud to your current IT environment will add more challenges to your environment as follows:
- Integrations of new applications and existing ones (which maybe be obsolete or in-house developed).
- Manageability of assets on-premise and in the cloud
- Data flowing between your on-premise environment and cloud devices and applications. Remember the new privacy and information regulations as GDPR.
- Different silos of process and tools
This is a complete transformation and on top of it, security is shaped to tackle all these challenges.
Information Security Transformation
Most of the businesses are transforming to the new digital by using the latest technologies. One of the main reasons of this transformation is to compete with digital native startups. New digital startups are disrupting the business and forcing their competitors either to move to new digital business or simply exit the market.
This new IT and digital world will provide both challenges and opportunities for information security. While the challenges are significant as we discussed earlier, there is also a huge opportunity to solve longstanding security problems using the new technology and platforms and on top of them is the cloud.
It’s very clear now with the above-mentioned challenges that the old network perimeter is changing. Back in the old days your perimeter was your office network, you need to check in your office and connect to the network to start accessing and working on your data and files. Now with cloud the network perimeter dissolved. Users can access and work from anywhere on almost any device and platform.
This new modern perimeter is the identity perimeter which means the main protection is the identity controls used to protect your data (Information assets) and your end point devices. This requires a new architecture mindset based on the famous cloud/customer cloud responsibility matrix.
Cloud and Customer responsibility sharing
Some users think that moving to the cloud will make them more secure by default while others think they are even more vulnerable and the truth it’s a shared responsibility between both parties. Cloud will definitely offer better security options but again the user must use it and sometimes configure it to get the best out of the cloud.
Let us take the Software as a Service example (SAAS) which is one of the most common models of leveraging the cloud. According the below Cloud/Customers responsibility matrix, three main areas for customer responsibility are as follows:
- Identity Protection
- Information protection
- Endpoint protection
Identity Protection which is very crucial means more investment in Privilege Access Management software, getting rid of old legacy identities, adopting IAM solutions that support single sign-on (SSO) and leverages protocols like (SAML) to integrate with third parties and other partners, use of Multi-factor authentication since password alone will not be sufficient anymore to protect your account and finally quality monitoring of all connections and authentications to your system with proper alerting system.
Endpoint Protection which requires cross platform management solution to manage any client on any platform, sound endpoint protection solution with endpoint detection and response capabilities (EDR), device compliance solution to ensure all connected devices are healthy and again on top of these your monitoring solution.
Information Protection which is the most critical moving part and the responsibility falls on the customer only as the sole owner of these information. Adapting a cross platform solution to scan your resources, classify, label data/files, protect them (encryption for example) and then monitoring the usage of this information on any platform.
As you can see with the SAAS model, the customer side should take care of key areas and rely on the cloud service provider on other areas as hardware, datacenter, applications, patching and maintenance. This is the real benefit of cloud.
Cloud is real opportunity but a challenge for us as security professionals. It’s not just someone else computer accessed remotely but rather a new mind shift with new process, technologies, tools and more importantly operations. It cannot be treated as traditional IT environment otherwise we will not only miss the cloud benefits but might be open for more different threat vectors.
For more events:
The Evolution of Cloud Security Then Now & to Come