Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operations

11/14/2016
07:30 AM
Larry Biagini
Larry Biagini
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Learning To Trust Cloud Security

Cloud-centric computing is inevitable, so you need to face your concerns and be realistic about risks.

After more than 35 years running IT for large enterprises, I've lived through various IT technology shifts: mainframe, client/server, RISC, CISC, etc. But early on in the development of the cloud, I recognized that the shift to becoming a cloud-enabled business is different.  

In enterprise IT, cloud security remains a topic of contention. Many IT and security leaders fear that a move to the cloud could cause problems, such as losing control of sensitive data. While concerns about risk are understandable and need to be addressed, they're often misplaced.

It's time businesses are honest with themselves about in-house capabilities before dismissing security in the cloud. Traditional enterprise security is based on perimeter controls — a model that was designed for a world where all data, users, devices, and applications operated within the perimeter and within the security controls. But as today's users blur the lines between activity inside and outside the perimeter, that model falls short because the perimeter is too big. I'd even say that in any mid- to large-size enterprise, there are more devices, users, and entry/exit points than the company knows about.

Cloud-centric computing is inevitable because the network, not your network, is just a conduit to allow access from trusted requestors to trusted resources. You will provide resources to those that you trust, when they need them and where they need them. The perimeter that will need protecting will be very small and contain services and properties that are critical to your business but not users. Users consume resources but are never on the cloud provider's core network. If they were, their perimeter could not be protected. Asyou evaluate security in the cloud, be realistic about the risks because deferring the transition to cloud services is itself a risky proposition.

Your Business Already Relies on the Cloud
What kinds of companies are leveraging the cloud today? Yours, for one. Even if you don't officially sanction any cloud services or applications, your employees are using them. So are your customers, suppliers, and business partners. Services that support file sharing, online collaboration, storage, and other daily activities are all hosted in the cloud. There's no getting around the fact that data is already being generated and shared there; business transactions are also happening and new business models are emerging.

The primary drivers for cloud adoption are speed, agility, and cost containment. For me, speed is the new currency. Business won't wait for anyone or anything, and IT is no exception. Because of lingering security concerns around control and reconfiguration, many businesses still rely on the private cloud model or use a hybrid approach that retains mission-critical data and applications on-premises. This is necessary in some cases, but not in most. If you allow the some to become the all, you'll be missing the train and your business will leave the station without you. For many, it already has.

In the cloud, software providers can immediately update or upgrade customers. Cloud security providers are similarly able to identify and patch threats and vulnerabilities across thousands of companies at record speed, thanks to the benefit of multitenant cloud architectures.

Financial institutions, for example, will want to maintain their "crown jewel" applications in their own data center, but when it comes to new applications, building infrastructure to maintain a Web application or mobile application simply makes no sense. Companies such as Betterment and Kabbage are using financial technology to push the limits on traditional banking, leveraging a user interface that appeals to the customer and allows those businesses to operate without the huge infrastructure of traditional finance organizations.   

Plan for the Journey
As you begin your journey, enlist the help of public cloud and software-as-a-service providers. Learn how they think and operate. Check the "us vs. them" attitude at the door and be realistic about your own capabilities. Their reputations rely on their ability to execute, and to do it securely. There's a reason the National Security Agency, for example, turned to Amazon Web Services to build the NSA cloud — instead of attempting it on its own.

It's OK to learn as you go. Many organizations have approached the move to the cloud as they would any major IT transition. They analyzed it and tried to glean as much as they could about the cloud and how it's provisioned, managed, and secured. That's not all bad, but the traditional vetting and risk processes slowed them down. Ultimately, the lesson learned has been: just do it. Don't let outdated notions around security stand in your way to modernize.

So start with taking your low-risk apps — you probably have hundreds — into the cloud. As you take that first step, you'll begin to see dividends in production, efficiency, and cost, and they will only increase over time.

The Cloud Makes You More Secure
Once you get past the initial holdups, the cloud opens a massive opportunity to keep your users, applications, and data safe, thanks to the benefits of shared threat protection. You will need to hire talent that eats, sleeps, and breathes cloud to supplement your current workforce, but you will no longer be locked in competition for infrastructure, networking, and security talent with the likes of Amazon, Microsoft, or Google.

You don't have to make the entire jump at once. You can merge cloud services and applications into your existing infrastructure, chipping away at the legacy stack a little at a time. Trust those who understand the cloud, and hire people who know how to secure and take advantage of it; a few key people can have a multiplier effect. Just ensure that they are apprised of the future strategy of your business — it's a joint growing process. In the end, it's all about trust.

Cloud transformation is a business transition fueled by technology. If, like me, you see that there is no going back, the best thing you can do for your business and your own IT organization is to start now.

Related Content:

Dark Reading's all-day virtual event Nov. 15 offers an in-depth look at myths surrounding data defense and how to put business on a more effective security path. 

Larry Biagini is chief technology evangelist at Zscaler, where he focuses on helping customers and partners better plan and execute their inevitable move towards expanding their use of cloud services. Biagini recently retired as vice president and chief technology officer of ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
nosmo_king
100%
0%
nosmo_king,
User Rank: Strategist
11/14/2016 | 8:33:56 AM
Too many assumptions
The author assumes that an organisation can 100% rely on internet connectivity, 100% of the time from 100% of locations.

As the DYN outage proved, that is simply not the case.

Therefore determining just how business critical certain functions and data are to the enterprise should be a guide as to where those functions and data are located.

The author also assumes that all cloud providers are created equal, or that all cloud based services are operated by AWS, Azure or a similair tier-one provider.

In truth most cloud services are offered by second and third tier providers, who in most cases do not provide their own infrastructure, backups, support, help desk etc.

Understanding the entire kill chain of your potential cloud provider is critical to be able to make a logical decision about whom to trust with what under what terms and conditions.

 
Data Privacy Protections for the Most Vulnerable -- Children
Dimitri Sirota, Founder & CEO of BigID,  10/17/2019
Sodinokibi Ransomware: Where Attackers' Money Goes
Kelly Sheridan, Staff Editor, Dark Reading,  10/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-18216
PUBLISHED: 2019-10-20
** DISPUTED ** The BIOS configuration design on ASUS ROG Zephyrus M GM501GS laptops with BIOS 313 relies on the main battery instead of using a CMOS battery, which reduces the value of a protection mechanism in which booting from a USB device is prohibited. Attackers who have physical laptop access ...
CVE-2019-18214
PUBLISHED: 2019-10-19
The Video_Converter app 0.1.0 for Nextcloud allows denial of service (CPU and memory consumption) via multiple concurrent conversions because many FFmpeg processes may be running at once. (The workload is not queued for serial execution.)
CVE-2019-18202
PUBLISHED: 2019-10-19
Information Disclosure is possible on WAGO Series PFC100 and PFC200 devices before FW12 due to improper access control. A remote attacker can check for the existence of paths and file names via crafted HTTP requests.
CVE-2019-18209
PUBLISHED: 2019-10-19
templates/pad.html in Etherpad-Lite 1.7.5 has XSS when the browser does not encode the path of the URL, as demonstrated by Internet Explorer.
CVE-2019-18198
PUBLISHED: 2019-10-18
In the Linux kernel before 5.3.4, a reference count usage error in the fib6_rule_suppress() function in the fib6 suppression feature of net/ipv6/fib6_rules.c, when handling the FIB_LOOKUP_NOREF flag, can be exploited by a local attacker to corrupt memory, aka CID-ca7a03c41753.