Cloud-focused network managers have outsourced a huge burden by moving applications to cloud service providers. Hardware, networking, data center management, high-availability and storage: All of these things get simpler after shifting to the cloud.
Security, however, remains the responsibility of the businesses’ own IT managers. That has led to some uncertainty about who is in charge of what in the cloud. Let’s separate myth from reality when it comes to cloud security.
Fallacy: Cloud Providers Will Take Care of Network Security
It’s certainly true that Infrastructure as a Service (IaaS) providers such as Microsoft have serious security — it’s on their own infrastructure. But having best-in-class intrusion prevention systems, security information and event management systems, web application firewalls, and other network security gadgets for themselves isn’t doing their customers a bit of good when it comes to the customers protecting their own networks. A business using IaaS is replacing its servers with their servers. But the responsibility for all aspects of network security remain with the business.
Fortunately, all of the most well-known security products are now available in virtual machine versions suitable for deployment within an IaaS virtual data center. Or, these additional services can be purchased from the IaaS service provider. It isn’t necessary for the business to rethink its security strategy when moving to the cloud, but it is important to put the same technologies in place to protect the business’s virtual servers that it was using to protect its own physical servers. And it remains the business’s responsibility to provide configuration, security operations center and security expertise to set up and manage these tools.
Fallacy: The Cloud Substantially Cuts Security Costs
Because the business is always responsible for its own security, the IT team should be making the same configuration controls, collecting the same logs and installing the same network security technology that it was when the application was in its own data center.
It is true that the business may save money on a few items, like physical security and disaster recovery. But whatever savings are realized should be spent on doing a better job at network microsegmentation, change management and security information and event management analysis, and rule-writing — three areas most businesses put off and don’t invest in, until they learn an unpleasant lesson.
Fact: Putting More Applications in the Cloud Makes Security Harder
Actually, whether cloud-based applications make security harder or easier is largely up to the business, but the trend is that they make things more difficult. This difficulty comes from the lack of standardization and coordination among cloud service vendors. Each of the cloud service providers, whether Software as a Service (SaaS), IaaS or Platform as a Service, has a different viewpoint on how security should be done, and how the responsibility should be shared. And businesses have to deal with them all.
A business with a very small number of vendors only has to reconcile a small number of viewpoints and security strategies in its own security roll-up. But when it starts notching up a long list of vendors that are all cloud service providers, then it is making life complicated for its IT security team.
That might come with a good rationale — such as wanting to have some leverage in contract negotiations or wanting to cherry-pick among services offered to get the best price possible. But there is a cost in overall security complexity. It’s a balancing act, but network managers know that there are higher marginal costs with adding a new service provider compared to simply adding more applications or services with the same provider. That may not be enough of an argument to sway the C-suite, but it’s the job of tech leadership to point out these facts as input for the decision-making process.
Percentage of organizations that are moderately to extremely concerned about cloud security.
Source: Cybersecurity Insiders, “2019 Cybersecurity Report,” 2019
Fallacy: SaaS Applications Cut IT Leaders Out of the Security Loop
SaaS applications are fundamentally different from local or even IaaS cloud-based applications because the control of the application is ceded to the SaaS provider. With the big SaaS applications — including Office 365, Salesforce and Dropbox — full raw logs and configuration management are simply unavailable. The business might have access to a subset of the logging information and only a bare minimum of configuration required for its own slice of a multitenant pie.
What that means is that the security team has to change strategy, because its normal tools such as SIEM are not active in this environment. You’ll find that there is still plenty of security to go around — it’s just executed much higher up in the stack, at the application layer. This means that when a business has a big SaaS dependency, it has to swap out some network-layer security expertise for more application-layer security.
A good example is Windows Active Directory, which many businesses depend on for authentication and access control: SaaS will make heavy use of a business’s Active Directory structure. For that reason, businesses should audit their own Active Directory to make sure that it has the policies in place that are appropriate and that its access control rules (usually done through groups) actually reflect reality.
Such an audit may reveal a business that has a large number of such groups whose purpose is unclear. Good SaaS security requires taking a serious look at the Active Directory, cleaning it up, documenting it — and creating processes and procedures to ensure that it remains clean and well-documented.
MORE FROM BIZTECH: Read why better crowd security is crucial for business growth.
Fallacy: Using a Cloud Access Security Broker Solves All Problems
The cloud-access security broker is a new product to the market. Some CIOs have pointed to their security brokers as the magic pixie dust that somehow solves all cloud security problems. While a cloud-access security broker can be a help in adding fine-grained access control policies as data zips around between on-premises and cloud applications and data consumers, it is not the magic bullet to solve new cloud-created security issues. Businesses should explore security brokers, but remember that they don’t solve any of the problems that old-school network security technologies tackle.