Cloud adoption is increasing. While growth rate estimates vary, the trend is going up. But some studies reveal that cloud security remains a big concern, and it’s having an impact on cloud services adoption. According to a study by Intel, 49% of customers said they slowed down their rate of adoption last year over security-related concerns, specifically citing a shortage of cybersecurity skills.
A few weeks ago, I sat down with a colleague to share my perspective on the question of cloud security for a podcast recording. We discussed some of the trends I’m seeing in the industry, and naturally, the subject brought up many other questions. It was a fun, productive discussion. So I thought I’d share a little bit of our Q&A with you in this article. I hope you find it helpful.
How has the increased use of cloud services affected traditional security models?
In the past, we talked about “securing the perimeter.” We defined our perimeter and kept our sensitive data inside of it. The goal was to create a layered defense structure around that perimeter to keep the bad guys out.
Today, that concept has gone out the window. The perimeter is “dead” in the classic sense of the word. Now, with cloud services, mobile, and IoT, the perimeter is everywhere.
When you think about software-as-a-service (SaaS) applications, other than the data, the vendor provides everything. They provide the infrastructure, the platform, the application, the support structure—everything needed to make the system work. And all of those things are out of the direct control of the customer.
A similar concept is true to a degree for infrastructure-as-a-service (IaaS) solutions. With IaaS, traditional data center architecture—compute, network, storage, and infrastructure facilities—are now outsourced and managed by a cloud provider. The customer is still responsible for their data, applications, and OS, but they have more constraints on how they are able to layer security controls onto their data. Oftentimes these controls need to be validated and approved for use within the managed cloud service and also at a cost both financially and in terms of features/functionality as compared to traditional security controls.
Both scenarios have a big impact on traditional security models. The old way of protecting against cyber threats just doesn’t work anymore.
What threats are unique to cloud environments?
Cyber threats are cyber threats, regardless of where the applications run. Whether an application runs in the cloud or in an on-premise data center, the threats and their outcomes are the same: breaches, sensitive data loss or tampering, infection of malware, denial of service (DoS) attacks, and others.
The unique thing about cloud threats and their associated outcomes are the size and scale that cloud affords the threats to operate within. In on prem solutions, you are governed by the constraints of your purchased hardware. In the pay-per-use world of the cloud, attacks can be severely amplified at a direct financial impact to the client outside of the fallout from the threat itself.
Additionally, the risk model gets more complex. As cloud applications run on a hosted or shared environment in a providers’ data center, some of the security processes once performed by the customer are now outsourced to the provider. That is a cause for concern for some organizations, and strict care to assess the third party risk element should be taken by the client to ensure and articulate where and how much of the risk burden is assumed by the provider or passed back to the client.
How are organizations that consume cloud addressing their security concerns?
We have an unfortunate reality. Most organizations are approaching the issue by utilizing legacy security models. They are putting in legacy-type security environments that are not tailored to cloud services.
Speed is often the culprit. Today, a lot of organizations are under the gun to migrate to cloud. In their haste, security is often overlooked or put on the back burner. I hear statements like, “After we get up and running” or “After we migrate these data sets” or “After we get the business stable on this cloud service,” which is quickly followed by, “Then we will go back and address any security concerns.”
This “need for speed” has a huge impact, especially when you look at rights management. For example, when an application is migrated to the cloud in a SaaS scenario, user rights management often doesn’t go along for the ride. If that happens and no one catches it, you could have users with rights access to data they probably shouldn’t have rights to. And that could be a big problem.
How is technology impacting the ability to maintain security in cloud environments?
Technology is stepping up in a big way. Most, if not all, security vendors that have products designed for the prevention or detection of threats have released cloud-ready versions of their products over the last 18 months. The goal is to inject those network-centric or host-centric security technologies into whatever cloud infrastructure is developed to make sure the north/south traffic in and out of the cloud environment is protected and the east/west traffic between applications is protected.
In addition, more customers are using or at least evaluating cloud access security broker (CASB) solutions. In general, CASB solutions provide extreme visibility for cloud applications, either through reverse proxy or by tying into back-end APIs, so administrators are aware of actions involving uploads and downloads of files as well as moves, adds, and changes to user rights, data access, or controls. Plus, many solutions are integrated with malware detection providers, so files can be scanned for malicious signatures before being uploaded. There are several products on the market, including Cisco CloudLock, NetSkope, and CipherCloud .
CASB solutions address security concerns that SaaS providers aren’t including natively in their applications. Adoption has been slow up to now, but that is expected to change. In fact, Gartner listed CASB as one of the top 10 technologies for information security in 2016.
How can organizations help mitigate risks that cloud adoption creates?
It goes back to the basics of cybersecurity. By that I mean this: you need to start with developing a clear understanding of the risk to your data. In any sort of cloud migration strategy, identification of the data, the sensitivity of the data, and the impact loss or damage to that data will have on your organization must be determined up front. Once that work has been completed, then you need to evaluate what protections can be put in place to safeguard your information.
When evaluating cloud providers, you need to perform due diligence regarding their security controls. That can be complicated because there are many factors to consider.
- How is multi-tenancy handled?
- How will your data be stored with respect to other clients’ data?
- How is access control to the environment handled?
- What certifications has the provider achieved?
- How does the provider use encryption? Will your data be encrypted at the application level or disk level?
- What is their backup process? What is their disaster recovery strategy?
- Who has authorization to your data and what is their security screening process for their personnel?
This is just a small sample of the questions. There are many more. When we work with an organization to evaluate a provider, we use a cloud security matrix that contains a comprehensive list of in-depth questions.
How do we at ePlus help customers tackle these challenges?
We help in several ways. We help organizations work through the process of identifying their sensitive data and clarifying their policies and procedures around data control. We do that through our strategy and risk management program. We have a structured cybersecurity management program, and we can tailor it toward cloud migration, which includes helping an organization evaluate cloud service providers from a security standpoint as well as doing data classification efforts around data they plan to move to the cloud.
From an architecture standpoint, we have highly-skilled engineers who help customers move into IaaS providers in a hybrid cloud scenario. They provide expert knowledge on data encryption, micro-segmentation, security segmentation, and threat inspection within cloud environments and can help build those capabilities into a customer’s architecture and design.
From a SaaS perspective, we partner with leading CASB providers to help augment movement into SaaS environments and provide agnostic feedback on features and functionality that are most important to a customer’s business.
We offer other services as well. But most importantly, we help customers keep security in mind for everything. We are in a space right now where the threat vectors are becoming more numerous every day between cloud, IoT, and mobile. As those trends become even more pervasive, we need to make sure security is woven into every solution.