Cloud

1/25/2017
02:30 PM
Frank Mong
Frank Mong
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Cloud Is Security-Ready But Is Your Security Team Ready For Cloud?

Cloud computing has moved beyond the early adopter phase and is now mainstream. Here's how to keep data safe in an evolving ecosystem.

By now, most of us in IT are well aware of the technical and business advantages that moving to a cloud-based data center provides: the ability to dynamically scale network capacity as demand changes, reduction in capex costs associated with implementing, maintaining and staffing a physical data center, and being able to let employees share data anytime, anywhere and on any device.

These are compelling benefits. But there is still a lingering hesitancy among some organizations considering a move to the cloud. In my experience, most concerns boil down to two factors: a reluctance to put trusted data on a network that’s not on the premises, and confusion around the costs and complexity of moving to the cloud. Let’s take a closer look at the pluses and minuses surrounding these issues.  If that’s what’s keeping an organization from the cloud, I have three points to share that should help them clear up the “cloudiness” (pun intended) and shine light on the possibilities.

When It Comes To Security, The Cloud Is Ready
If there is one roadblock that keeps IT teams leery about the cloud, it’s cybersecurity. And while cybersecurity will always be a concern, when it comes to the cloud, the industry is well-prepared. Leading public cloud providers, like Amazon AWS and Microsoft Azure, have made significant investments in securing their cloud environments and both companies offer robust security resources to cloud customers via the Microsoft Azure Trust Center or Amazon’s AWS Cloud Security.

Cloud providers are also building an expansive ecosystem of security technology partners who can provide cybersecurity solutions for the public cloud and Software-as-a-Service. These solutions, if implemented as a cohesive platform and not an ad hoc collection of security devices that don’t work well together, can provide a consistent and seamless security experience to both cloud-based and physical networks through consistent visibility, policy, and enforcement across the network regardless of a user’s location. Another plus is the Cloud Security Alliance, an industry consortium of companies that provides excellent resources to help cloud adopters address security concerns and stay up to date on the latest developments in cloud technology

Are You Ready for the Cloud?
Specifically, have you or your security team completed the necessary due diligence to identify the specific security functions required by your cloud solution? For example, AWS supports several native services that provide log and network flow information, such as CloudWatch and CloudTrail. Tools like these are powerful and highly configurable, provided you know how to use them and what you want from them. 

Many enterprises may want to consider a third-party provider to do the integration work. This type of third-party approach will provide security, visibility, support, and long-term operational scale. When selecting a cloud integration partner, look for partners with certifications in cloud technology from vendors and industry organizations alike; Amazon, HP, and Microsoft. All offer certifications for their cloud platforms, and industry groups like the Cloud Security Alliance and the SANS Institute also offer cloud security training and certification. 

You May Already Be in the Cloud (Even If You Don’t Know It)
Businesses need to move fast these days, and departments within an organization may take it upon themselves to adopt cloud technologies without bringing IT into the loop. It’s a long-standing trend known as “shadow IT,” and it’s causing headaches as IT departments try to stay on top of which applications are operating on their network. For organizations that feel that shadow IT isn’t a concern for their organization, I would point you to a survey Brocade conducted last year in which 83 percent of CIOs surveyed said they had experienced some level of unauthorized provisioning of cloud services within their organizations. It would seem the old cliché “If you can’t beat ‘em, join ‘em” is especially relevant to the cloud.

One way to get employees to leverage cloud services in the appropriate way is to publish policy templates for cloud platforms. Sales team wants to implement Salesforce via the cloud? No problem, provided the service is used by employees in ways that comply with existing security policy.

Hybrid Cloud Can Hedge Your Bets
Not everything has to go to the cloud, and maybe it shouldn’t for now. However, there are advantages to hosting certain computing or service functions in the cloud. The cloud is highly iterative, and new technologies and capabilities are being added to cloud infrastructures every day. For example, cloud platform providers are routinely enhancing the security telemetry features of their platforms to provide customers with real-time data that can be used to improve security. Additionally, many of the technologies used to secure physical data centers like next-generation firewalls, and threat intelligence subscriptions can easily be applied to new cloud-based networks to seamlessly protect data as it moves between physical and cloud-based data centers.

With a hybrid cloud implementation, organizations can hedge their bets: keep existing hardware-based network and datacenters in place and support new applications or satellite offices via the cloud as a way to gradually embrace a full public cloud implementation. This approach is sound, provided you’re using a traditional security platform that supports cloud integration. Sticking to a single security platform in a hybrid scenario is important for consistent visibility, policy enforcement and automated reprogramming of security technology regardless of location, existing network or new public cloud segments.  Trying to add cloud technology from vendor A to an existing security platform from vendor B could result in gaps in the overall security posture, especially visibility that could be exploited to penetrate network defenses.

Cloud computing has moved beyond the early adopter phase and is now mainstream. Any organization that isn’t taking advantage of the benefits the cloud provides runs the risk of falling behind competitors that have.

Related Content:

 

Frank Mong is senior vice president of product, industry and solutions for Palo Alto Networks. In this role, he is responsible for directing product marketing, industry (vertical) marketing and overall solutions (platform) marketing for the company's entire portfolio. An ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Election Websites, Back-End Systems Most at Risk of Cyberattack in Midterms
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/14/2018
Intel Reveals New Spectre-Like Vulnerability
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/15/2018
Data Privacy Careers Are Helping to Close the IT Gender Gap
Dana Simberkoff, Chief Compliance and Risk Management Officer, AvePoint, Inc,  8/20/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-10006
PUBLISHED: 2018-08-20
Jsish version 2.4.65 contains a CWE-476: NULL Pointer Dereference vulnerability in Function jsi_ValueCopyMove from jsiValue.c:240 that can result in Crash due to segmentation fault. This attack appear to be exploitable via a crafted javascript code. This vulnerability appears to have been fixed in 2...
CVE-2018-10006
PUBLISHED: 2018-08-20
The Pallets Project flask version Before 0.12.3 contains a CWE-20: Improper Input Validation vulnerability in flask that can result in Large amount of memory usage possibly leading to denial of service. This attack appear to be exploitable via Attacker provides JSON data in incorrect encoding. This ...
CVE-2018-10006
PUBLISHED: 2018-08-20
Rust Programming Language Rust standard library version Commit bfa0e1f58acf1c28d500c34ed258f09ae021893e and later; stable release 1.3.0 and later contains a Buffer Overflow vulnerability in std::collections::vec_deque::VecDeque::reserve() function that can result in Arbitrary code execution, but no ...
CVE-2018-10006
PUBLISHED: 2018-08-20
JabRef version <=4.3.1 contains a XML External Entity (XXE) vulnerability in MsBibImporter XML Parser that can result in disclosure of confidential data, denial of service, server side request forgery, port scanning. This attack appear to be exploitable via Specially crafted MsBib file. This vuln...
CVE-2018-10006
PUBLISHED: 2018-08-20
zzcms version 8.3 and earlier contains a SQL Injection vulnerability in zt/top.php line 5 that can result in could be attacked by sql injection in zzcms in nginx. This attack appear to be exploitable via running zzcms in nginx.