Operations
11/14/2016
07:30 AM
Larry Biagini
Larry Biagini
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Learning To Trust Cloud Security

Cloud-centric computing is inevitable, so you need to face your concerns and be realistic about risks.

After more than 35 years running IT for large enterprises, I've lived through various IT technology shifts: mainframe, client/server, RISC, CISC, etc. But early on in the development of the cloud, I recognized that the shift to becoming a cloud-enabled business is different.  

In enterprise IT, cloud security remains a topic of contention. Many IT and security leaders fear that a move to the cloud could cause problems, such as losing control of sensitive data. While concerns about risk are understandable and need to be addressed, they're often misplaced.

It's time businesses are honest with themselves about in-house capabilities before dismissing security in the cloud. Traditional enterprise security is based on perimeter controls — a model that was designed for a world where all data, users, devices, and applications operated within the perimeter and within the security controls. But as today's users blur the lines between activity inside and outside the perimeter, that model falls short because the perimeter is too big. I'd even say that in any mid- to large-size enterprise, there are more devices, users, and entry/exit points than the company knows about.

Cloud-centric computing is inevitable because the network, not your network, is just a conduit to allow access from trusted requestors to trusted resources. You will provide resources to those that you trust, when they need them and where they need them. The perimeter that will need protecting will be very small and contain services and properties that are critical to your business but not users. Users consume resources but are never on the cloud provider's core network. If they were, their perimeter could not be protected. Asyou evaluate security in the cloud, be realistic about the risks because deferring the transition to cloud services is itself a risky proposition.

Your Business Already Relies on the Cloud
What kinds of companies are leveraging the cloud today? Yours, for one. Even if you don't officially sanction any cloud services or applications, your employees are using them. So are your customers, suppliers, and business partners. Services that support file sharing, online collaboration, storage, and other daily activities are all hosted in the cloud. There's no getting around the fact that data is already being generated and shared there; business transactions are also happening and new business models are emerging.

The primary drivers for cloud adoption are speed, agility, and cost containment. For me, speed is the new currency. Business won't wait for anyone or anything, and IT is no exception. Because of lingering security concerns around control and reconfiguration, many businesses still rely on the private cloud model or use a hybrid approach that retains mission-critical data and applications on-premises. This is necessary in some cases, but not in most. If you allow the some to become the all, you'll be missing the train and your business will leave the station without you. For many, it already has.

In the cloud, software providers can immediately update or upgrade customers. Cloud security providers are similarly able to identify and patch threats and vulnerabilities across thousands of companies at record speed, thanks to the benefit of multitenant cloud architectures.

Financial institutions, for example, will want to maintain their "crown jewel" applications in their own data center, but when it comes to new applications, building infrastructure to maintain a Web application or mobile application simply makes no sense. Companies such as Betterment and Kabbage are using financial technology to push the limits on traditional banking, leveraging a user interface that appeals to the customer and allows those businesses to operate without the huge infrastructure of traditional finance organizations.   

Plan for the Journey
As you begin your journey, enlist the help of public cloud and software-as-a-service providers. Learn how they think and operate. Check the "us vs. them" attitude at the door and be realistic about your own capabilities. Their reputations rely on their ability to execute, and to do it securely. There's a reason the National Security Agency, for example, turned to Amazon Web Services to build the NSA cloud — instead of attempting it on its own.

It's OK to learn as you go. Many organizations have approached the move to the cloud as they would any major IT transition. They analyzed it and tried to glean as much as they could about the cloud and how it's provisioned, managed, and secured. That's not all bad, but the traditional vetting and risk processes slowed them down. Ultimately, the lesson learned has been: just do it. Don't let outdated notions around security stand in your way to modernize.

So start with taking your low-risk apps — you probably have hundreds — into the cloud. As you take that first step, you'll begin to see dividends in production, efficiency, and cost, and they will only increase over time.

The Cloud Makes You More Secure
Once you get past the initial holdups, the cloud opens a massive opportunity to keep your users, applications, and data safe, thanks to the benefits of shared threat protection. You will need to hire talent that eats, sleeps, and breathes cloud to supplement your current workforce, but you will no longer be locked in competition for infrastructure, networking, and security talent with the likes of Amazon, Microsoft, or Google.

You don't have to make the entire jump at once. You can merge cloud services and applications into your existing infrastructure, chipping away at the legacy stack a little at a time. Trust those who understand the cloud, and hire people who know how to secure and take advantage of it; a few key people can have a multiplier effect. Just ensure that they are apprised of the future strategy of your business — it's a joint growing process. In the end, it's all about trust.

Cloud transformation is a business transition fueled by technology. If, like me, you see that there is no going back, the best thing you can do for your business and your own IT organization is to start now.

Related Content:

Dark Reading's all-day virtual event Nov. 15 offers an in-depth look at myths surrounding data defense and how to put business on a more effective security path. 

Larry Biagini is chief technology evangelist at Zscaler, where he focuses on helping customers and partners better plan and execute their inevitable move towards expanding their use of cloud services. Biagini recently retired as vice president and chief technology officer of ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
nosmo_king
50%
50%
nosmo_king,
User Rank: Strategist
11/14/2016 | 8:33:56 AM
Too many assumptions
The author assumes that an organisation can 100% rely on internet connectivity, 100% of the time from 100% of locations.

As the DYN outage proved, that is simply not the case.

Therefore determining just how business critical certain functions and data are to the enterprise should be a guide as to where those functions and data are located.

The author also assumes that all cloud providers are created equal, or that all cloud based services are operated by AWS, Azure or a similair tier-one provider.

In truth most cloud services are offered by second and third tier providers, who in most cases do not provide their own infrastructure, backups, support, help desk etc.

Understanding the entire kill chain of your potential cloud provider is critical to be able to make a logical decision about whom to trust with what under what terms and conditions.

 
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio