Cloud
1/25/2017
02:30 PM
Frank Mong
Frank Mong
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Cloud Is Security-Ready But Is Your Security Team Ready For Cloud?

Cloud computing has moved beyond the early adopter phase and is now mainstream. Here's how to keep data safe in an evolving ecosystem.

By now, most of us in IT are well aware of the technical and business advantages that moving to a cloud-based data center provides: the ability to dynamically scale network capacity as demand changes, reduction in capex costs associated with implementing, maintaining and staffing a physical data center, and being able to let employees share data anytime, anywhere and on any device.

These are compelling benefits. But there is still a lingering hesitancy among some organizations considering a move to the cloud. In my experience, most concerns boil down to two factors: a reluctance to put trusted data on a network that’s not on the premises, and confusion around the costs and complexity of moving to the cloud. Let’s take a closer look at the pluses and minuses surrounding these issues.  If that’s what’s keeping an organization from the cloud, I have three points to share that should help them clear up the “cloudiness” (pun intended) and shine light on the possibilities.

When It Comes To Security, The Cloud Is Ready
If there is one roadblock that keeps IT teams leery about the cloud, it’s cybersecurity. And while cybersecurity will always be a concern, when it comes to the cloud, the industry is well-prepared. Leading public cloud providers, like Amazon AWS and Microsoft Azure, have made significant investments in securing their cloud environments and both companies offer robust security resources to cloud customers via the Microsoft Azure Trust Center or Amazon’s AWS Cloud Security.

Cloud providers are also building an expansive ecosystem of security technology partners who can provide cybersecurity solutions for the public cloud and Software-as-a-Service. These solutions, if implemented as a cohesive platform and not an ad hoc collection of security devices that don’t work well together, can provide a consistent and seamless security experience to both cloud-based and physical networks through consistent visibility, policy, and enforcement across the network regardless of a user’s location. Another plus is the Cloud Security Alliance, an industry consortium of companies that provides excellent resources to help cloud adopters address security concerns and stay up to date on the latest developments in cloud technology

Are You Ready for the Cloud?
Specifically, have you or your security team completed the necessary due diligence to identify the specific security functions required by your cloud solution? For example, AWS supports several native services that provide log and network flow information, such as CloudWatch and CloudTrail. Tools like these are powerful and highly configurable, provided you know how to use them and what you want from them. 

Many enterprises may want to consider a third-party provider to do the integration work. This type of third-party approach will provide security, visibility, support, and long-term operational scale. When selecting a cloud integration partner, look for partners with certifications in cloud technology from vendors and industry organizations alike; Amazon, HP, and Microsoft. All offer certifications for their cloud platforms, and industry groups like the Cloud Security Alliance and the SANS Institute also offer cloud security training and certification. 

You May Already Be in the Cloud (Even If You Don’t Know It)
Businesses need to move fast these days, and departments within an organization may take it upon themselves to adopt cloud technologies without bringing IT into the loop. It’s a long-standing trend known as “shadow IT,” and it’s causing headaches as IT departments try to stay on top of which applications are operating on their network. For organizations that feel that shadow IT isn’t a concern for their organization, I would point you to a survey Brocade conducted last year in which 83 percent of CIOs surveyed said they had experienced some level of unauthorized provisioning of cloud services within their organizations. It would seem the old cliché “If you can’t beat ‘em, join ‘em” is especially relevant to the cloud.

One way to get employees to leverage cloud services in the appropriate way is to publish policy templates for cloud platforms. Sales team wants to implement Salesforce via the cloud? No problem, provided the service is used by employees in ways that comply with existing security policy.

Hybrid Cloud Can Hedge Your Bets
Not everything has to go to the cloud, and maybe it shouldn’t for now. However, there are advantages to hosting certain computing or service functions in the cloud. The cloud is highly iterative, and new technologies and capabilities are being added to cloud infrastructures every day. For example, cloud platform providers are routinely enhancing the security telemetry features of their platforms to provide customers with real-time data that can be used to improve security. Additionally, many of the technologies used to secure physical data centers like next-generation firewalls, and threat intelligence subscriptions can easily be applied to new cloud-based networks to seamlessly protect data as it moves between physical and cloud-based data centers.

With a hybrid cloud implementation, organizations can hedge their bets: keep existing hardware-based network and datacenters in place and support new applications or satellite offices via the cloud as a way to gradually embrace a full public cloud implementation. This approach is sound, provided you’re using a traditional security platform that supports cloud integration. Sticking to a single security platform in a hybrid scenario is important for consistent visibility, policy enforcement and automated reprogramming of security technology regardless of location, existing network or new public cloud segments.  Trying to add cloud technology from vendor A to an existing security platform from vendor B could result in gaps in the overall security posture, especially visibility that could be exploited to penetrate network defenses.

Cloud computing has moved beyond the early adopter phase and is now mainstream. Any organization that isn’t taking advantage of the benefits the cloud provides runs the risk of falling behind competitors that have.

Related Content:

 

Frank Mong is senior vice president of product, industry and solutions for Palo Alto Networks. In this role, he is responsible for directing product marketing, industry (vertical) marketing and overall solutions (platform) marketing for the company's entire portfolio. An ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
Dark Reading Live EVENTS
INsecurity - For the Defenders of Enterprise Security
A Dark Reading Conference
While red team conferences focus primarily on new vulnerabilities and security researchers, INsecurity puts security execution, protection, and operations center stage. The primary speakers will be CISOs and leaders in security defense; the blue team will be the focus.
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
[Strategic Security Report] Assessing Cybersecurity Risk
[Strategic Security Report] Assessing Cybersecurity Risk
As cyber attackers become more sophisticated and enterprise defenses become more complex, many enterprises are faced with a complicated question: what is the risk of an IT security breach? This report delivers insight on how today's enterprises evaluate the risks they face. This report also offers a look at security professionals' concerns about a wide variety of threats, including cloud security, mobile security, and the Internet of Things.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.