For a long time, security was the No. 1 hang-up for organizations considering a move to the cloud. How could data be secure outside the network, “out there” in the cloud?
According to a November 2016 IDG Enterprise Cloud Computing Survey, businesses are moving past this cloud-phobia, with at least 70 percent using the technology and 56 percent looking to transfer more of their operations to the cloud. Ironically though, once they get to the cloud, organizations face a new thicket of cloud security issues that they must navigate.
The conversation has moved on from, “Is cloud safe?” to, “Now that I’m here, who’s responsible for keeping my data safe?”
Digital Transformation Spurs Questions on Cloud Security
There are numerous related developments in the market that have led organizations to start asking the hard questions about cloud security.
“In the marketplace, digital transformation is happening, where organizations are leveraging best-of-breed tech to be more competitive,” explains Ron Zalkind, CTO of Cisco Systems’ Cloud Security. “It’s driven by three things. First, employees are bringing in their own devices and apps. Second, to enable this, there’s been a shift to consume [Infrastructure as a Service and Software as a Service], running it from the cloud. And third, this is leading to organizations reconfiguring network access to employees. With all of this going on with digital transformation, companies are now turning to their security teams to figure out how to keep it all safe.”
Many of the technologies that companies are relying on to stay agile and competitive are cloud-centric.
“The spotlight is on cloud now in a much more significant way — because enterprises are starting to put their entire infrastructure there,” says Rick Crane, head of cloud security in the Americas for Check Point. “It’s not [until] you saw large enterprises starting to move their infrastructure to the cloud that people started asking questions about cloud security. What to secure, where the vulnerabilities are, who’s responsible for what. And the current gap in information for such a significant business development is alarming.”
Cybersecurity Concerns Are Top of Mind
Alongside these marketplace developments, the topic of data security continues to loom large in the public consciousness. Headline-grabbing security events such as the Equifax data breach and WannaCry ransomware attack have made everyone more conscious of the need for data security. In particular, ransomware appears to have struck a nerve.
“Hacking’s been around for a while, but ransomware really made cybercrime a business in many people’s eyes,” says Crane. “It changed how people perceive security.”
Corporate boardrooms are taking notice. While ransomware has not proven to be particularly costly to enterprise bottom lines, the way it puts a public spotlight on the organization being held hostage projects a very negative image. A growing familiarity with security incidents has created broader awareness of security issues among C-level executives.
“With today’s ‘modern’ CIO, security is becoming an easier proposition to sell,” says Jason Eberhardt, North American cloud channel leader for Symantec. “The conversation has changed, where today everyone is more aware of security and the value of it. Before, the cloud was poorly understood, so security had been an afterthought. But now the conversation has moved to ‘good enough’ versus ‘total security.’ Enterprises are thinking more secure-forward.”
Thinking secure-forward means including the question of security into every link in the cloud computing model. There’s often a perception going into cloud computing that security is taken care of by the cloud service provider, which is not the case. “I think part of the knowledge gap is that when people think of cloud, it’s someone else’s data center,” says Crane. “They don’t know where it’s located. There’s a notion that it’s secure. Like their bank account, hosted someplace else and safe.”
“Security is everyone’s responsibility,” says Eberhardt. “We don’t think about it that way, but it’s the truth. There’s a million doors. Every door is an access for exploit to get in where it shouldn’t be. Security is closing/locking all of those doors.”
Who Is Responsible for What in Cloud Security?
To start with, organizations need to know who exactly owns what part of the cloud security puzzle. Generally, it breaks down to finding out what the provider takes care of in order to find out the responsibility of the customer.
“Cloud has a shared responsibility model,” Zalkind explains. “With cloud, where you leverage someone else’s data center, you now have less direct responsibility for security for that infrastructure. So, you need to have [service-level agreements] in place.”
“Responsibility for cloud security is two-fold — [the] cloud vendor and the business,” adds Eberhardt. “The vendor secures physical, network and [on-premises] security. They are responsible for the data center.”
Cloud service providers are not responsible for app-level security, Zalkind notes. “So, what are customers responsible for?” he continues. “For [Infrastructure as a Service], above the bare network level, you are responsible for firewalls, patching operating systems, deploying software free of vulnerabilities, and network access control.”
Moving from ‘Good Enough’ to ‘Total Security’
Organizations are so often concerned with external cybersecurity threats that they can overlook internal attack vectors.
Cybercriminals understand this and have turned to lateral attack strategies, finding a vulnerability on an internal system and using that to gain access to other systems with more valuable data.
“Securing east-west traffic, internal traffic, can’t be overlooked,” Crane says. “In most cases, we advise having a strategy for external perimeter and internal resource traffic. Seventy-five percent of the time, this gets put off. Because companies don’t realize that a lot of attacks start in one place and proliferate across the network.”
Authentication is another overlooked area during cloud transitions. “Make sure you have strong authentication,” Zalkind advises. “Secure where the data lives and while it’s in use. Most major cloud providers support two-factor, but customers don’t configure it properly, out of concerns about productivity.”
The increased reliance on mobile access to data as part of a digital transformation offers another threat vector that can’t be ignored. “Mobile devices connecting to the cloud is now very common,” Crane says. “People are a little naïve about it, not giving it the scrutiny it deserves. Mobile device compromise can happen anywhere — like a man-in-the-middle attack at the coffee shop. The connectivity from mobile to cloud is a real issue that organizations need to look at more closely.”
Automating Security via the Cloud
Clearly, security cannot be an afterthought with a move to the cloud. However, the cloud does offer opportunities to improve on security through automation.
“These responsibilities don’t change because you move to the cloud,” says Zalkind. “With cloud, you are forced to automate a lot of security functions. You can program security configs, switching from human defined to software defined. This has the effect of making your cloud activity more secure.”
Moving data to the cloud forces a complete reassessment of security across the business — a unique opportunity that shouldn’t be passed up.
“Take a hard look at the current posture, and consider what’s going to change,” Crane says. “What’s going to get better? What’s going to get worse? The big unknown for a lot of folks is, what are the new vulnerabilities? How do we protect ourselves, now?”