7 Ways Cloud Alters The Security Equation
Would-be and existing customers must understand that security isn't set-and-forget just because it resides in the cloud.
September 23, 2016
![](https://eu-images.contentstack.com/v3/assets/blt6d90778a997de1cd/blte68e9c22486759e1/64f0d9a41e67d613452112e3/01-padlock.jpg?width=700&auto=webp&quality=80&disable=upscale)
By now, the pitch for cloud-based services is familiar to anyone in IT: They're cheaper, more efficient, and will free up in-house infosec professionals for more value-added tasks (yes, everyone's really going to miss reviewing log management data).
The promises of highly automated functionality and trouble-free operations may be slightly overstated, at least where cloud-based security is concerned. But most infosec professionals are already masters of due diligence, and cloud is like any other external service provider: seasoned security pros know to ask a lot of questions, perform their own testing and audits, and get customer references for the real skinny on how cloud-based security goes.
Smart, reputable cloud service providers will encourage/require customers to undertake many of these steps we outline here, and then some. But it should be noted any time a provider balks at being transparent or at providing greater levels of access and discovery. The partnership nature of cloud is inherent when it's essentially an outsourced service; for something as strategic as security, customers are going to want lots of disclosure and trust upfront.
Whether you're entertaining cloud security or are already a customer, here are some basic ways that these third-party services change the ways infosec professionals have traditionally conducted themselves. The list is by no means exhaustive. And if we've missed something egregious, leave us a note in the comments section below! Let's make this a multi-party dialog.
Anyone in IT knows if you're going to use an external service provider, you need to be able to audit performance and key metrics to ensure compliance, all to keep the legal beagles at bay. Auditing is especially critical for something as strategic as security management. Unfortunately, cloud service providers don't always make it easy to audit performance. According to a survey of 300 Dark Reading/InformationWeek readers from June 2016, only about a third of respondents said they were able to perform risk assessments of potential cloud service providers; 20% said they use the providers' own self-audit reports. Alarmingly, 13% reported wanting to conduct their own audits but found cloud security providers generally uncooperative.
Independent auditing needs to be simplified if cloud providers expect to make any headway in security services, especially since 22% of survey respondents also said the inability to audit or access key metrics leaves them more worried about their vulnerability to attack.
Image Source: Wikimedia Commons
Image author: Unknown
Here's a common complaint among infosec pros: Application software that lacks basic security features from its inception and is riddled with vulnerabilities. So why should the application software that cloud providers use be any different? This is different than the hosting services offered by Microsoft Azure or Amazon Web Services, for example. It's the application software that's processing or storing user application data where the vulnerabilities are.
While security expertise is becoming more common among these back-end developers, it's still not entirely the norm. Experts recommend a two-prong analysis that looks at the application in production, as well as analysis of the actual code used to run it. Some cloud service providers have this at the ready; if they don't, be prepared to conduct your own. How they respond to that request will tell customers a lot about how things are likely to go once under contract.
Image Source: Wikimedia Commons
Image author: Woodennature
By now, the pitch for cloud-based services is familiar to anyone in IT: They're cheaper, more efficient, and will free up in-house infosec professionals for more value-added tasks (yes, everyone's really going to miss reviewing log management data).
The promises of highly automated functionality and trouble-free operations may be slightly overstated, at least where cloud-based security is concerned. But most infosec professionals are already masters of due diligence, and cloud is like any other external service provider: seasoned security pros know to ask a lot of questions, perform their own testing and audits, and get customer references for the real skinny on how cloud-based security goes.
Smart, reputable cloud service providers will encourage/require customers to undertake many of these steps we outline here, and then some. But it should be noted any time a provider balks at being transparent or at providing greater levels of access and discovery. The partnership nature of cloud is inherent when it's essentially an outsourced service; for something as strategic as security, customers are going to want lots of disclosure and trust upfront.
Whether you're entertaining cloud security or are already a customer, here are some basic ways that these third-party services change the ways infosec professionals have traditionally conducted themselves. The list is by no means exhaustive. And if we've missed something egregious, leave us a note in the comments section below! Let's make this a multi-party dialog.
About the Author(s)
You May Also Like
CISO Perspectives: How to make AI an Accelerator, Not a Blocker
August 20, 2024Securing Your Cloud Assets
August 27, 2024