Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

3/9/2015
10:30 AM
Bill Kleyman
Bill Kleyman
Commentary
Connect Directly
Facebook
Twitter
LinkedIn
Google+
RSS
E-Mail vvv
100%
0%

Second Look: Data Security In A Hybrid Cloud

Today's big cloud providers were built around an architecture for hosting and securing data. They will continue to thrive, only by keeping your workloads safe.

When it comes to cloud adoption, one of the longest standing debates revolves around data integrity and security. The FUD around cloud always has involved issues of security and information access. But what if we have it all wrong? What if we are actually misunderstanding the true, underlying business model of a modern cloud environment?

But before we get into that, let’s look at the current data breach landscape. A recent 2014 Ponemon study shows that a probability of a material data breach over the next two years involving a minimum of 10,000 records, at an on-premise data center, is nearly 19 percent. In addition, the study reports:

  • The cost of a data breach has increased. Breaking a downward trend over the past two years, both the organizational cost of data breach and the cost per lost or stolen record have gone up, on from $5.4 million to $5.9 million per organization studied. The cost per record increased from $188 to $201. 
  • Malicious or criminal attacks result in the highest per capita data breach cost. Consistent with prior reports, data loss or exfiltration resulting from a malicious or criminal attack yielded the highest cost at an average of $246 per compromised record. In contrast, both system glitches and employee mistakes resulted in a much lower average per capita cost at $171 and $160, respectively.

With that in mind, let’s pause the conversation here and actually look at some of the biggest recent data breaches.

  • Anthem (2014-2015): 80 million records (Social Security numbers, addresses, emails, names)
  • Target (2014): 70 million records (credit cards, emails, addresses)
  • Sony (2014): 100+TB of data, 6,500 employee records.
  • Home Depot (2014): 56 million customer credit and debit card accounts as well as 53 million customer email addresses.

These data breaches are so widespread that there’s a good chance you were impacted by one of the aforementioned incidents. In fact, I was!

The simple point I am making here is that with more data, there will be more data breach targets. However, let’s consider where these breaches are happening most. When was the last time Amazon Web Services lost tens of millions of customer records? Or IBM SmartCloud? Has there ever been a massive breach at Rackspace or even Azure? No. Not yet, at least.

Data integrity, security, and big clouds
The line of business for big cloud providers is to host and secure data. They were built around this idea and architecture, specifically, multi-tenant secure hosting. As much as an organization like Anthem tries to embrace security, its line of business is providing healthcare services. That’s where the company makes money. Anthem had to adapt to the times instead of being born in them. AWS and Rackspace, on the other hand, make their money by making sure customer workloads are up and secure. And, they continue to evolve that model.

From a cloud adoption perspective, a recent Gartner report shows that the use of cloud computing is growing, and by 2016 this growth will increase to become the bulk of new IT spend. Furthermore, 2016 will be a defining year for cloud as private cloud begins to give way to hybrid cloud, and nearly half of large enterprises will have hybrid cloud deployments by the end of 2017, according to Gartner.

It’s also getting a lot easier for companies to migrate their workloads into some kind of cloud environment, which makes a cloud option much more competitive with a traditional on premise data center solution.

If you’re concerned about compliance and regulations, cloud providers are already providing options around even the strictest workloads. For example, AWS Compliance enables customers to understand the robust controls in place at AWS to maintain security and data protection. This includes PCI DSS, ISO, FedRAMP, DoD, FISMA, FIPS and more. You can now process protected healthcare information (PHI) through an AWS model, for example, and still be compliant. Beyond that, new kinds of cloud automation and orchestration tools allow you to create powerful extensions from your existing data center into a hybrid cloud model.

Platforms like OpenStack and CloudStack are revolutionizing how we extend cloud capabilities. Beyond that, the delivery of cloud-based services now allows for an even richer end-user experience while still enabling new concepts around mobility and IoT.

Moving forward, there will be a lot more data to control. And, a lot of it is already moving to the cloud. The latest Cisco Cloud Index report goes on to show that by 2018, more than three quarters (78 percent) of workloads will be processed by cloud data centers compared to 22 percent processed by traditional data centers.

Maybe it’s time to look at cloud as a very viable option for some of your company’s most critical workloads. Let’s chat about the pluses and minuses of the hybrid cloud in the comments.

  Bill Kleyman brings more than 15 years of experience to his role as Executive Vice President of Digital Solutions at Switch. Using the latest innovations, such as AI, machine learning, data center design, DevOps, cloud and advanced technologies, he delivers solutions ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
xmarksthespot
50%
50%
xmarksthespot,
User Rank: Strategist
3/16/2015 | 7:11:44 PM
Re: Security matters are getting forced into forethought rather than an afterthought
The concept of 'Trust No One' (TNO) is a bulletproof security measure for cloud-based storage.  Encryption is done before uploading to the cloud and decryption after downloading.  With proper encryption, no one can crack the files.  LastPass is a password storing app in the cloud employing the concept of 'Trust No One'.  Google "Trust no one (internet security)" to read more on Wikipedia.org .

This concept only applies where the applications running are at your site.  This article may describing Platform As A Service, or Software-As-A-Service, where encryption is being done in the cloud.
Bill Kleyman
50%
50%
Bill Kleyman,
User Rank: Apprentice
3/10/2015 | 4:01:25 PM
Re: Security matters are getting forced into forethought rather than an afterthought
@Dr.T - "Once we put humans out of the security equation we can have a better chance to succeed in scurity..."


That sounds very SkyNet-ish :) We definitely want to place more automation and intelligence into the security layer. However, brilliant security and cloud professionals will always be needed. I have a very dear friend who works as a whitehat for a big security firm. He regularly tests some of the worlds most complex systems out there. In fact, he was one of the people that found a flaw in Blackberry's early OS 10 platform. He also found a backdoor hole in how AWS VM images are shared in a community. 

These guys conduct audits, assessments and much more to keep an environment up and running. For now, advanced persisten threats come from a variety of sources. Sometimes it's a set of zombie servers; and sometimes it's a person conducting a targeted attack. We still need people at the helm to defend against these threats. 
Bill Kleyman
50%
50%
Bill Kleyman,
User Rank: Apprentice
3/10/2015 | 3:56:57 PM
Re: Full adoption of Cloud is the future
@ Dr.T - I have to say, regulations are certainly changing already. Just look at my AWS example. Similarly, there will have to be a change in how security is delivered at the corporate side. Workload and VM segmentation will have to happen, internal security audits will need to become common practice, and those organizations that can quickly move into the cloud - should consider doing so.

Marilyn asked a great question earlier - How does security work better in the cloud? Well, to begin with, they treat each client as their own seperate entity. They get their own resources, their own pool of space, their own management platform and even their own set of locked down rights. What happens if there is a breach? The limited accessibility really pins down the attacker to doing very limited damage if any at all. The difference is that in the corporate world - one slip up, or one improper setting can impact an entire ecosystem. Cloud providers simply never allow their configurations to reach that point.

Their cost structure allows them to create multi-tenancy, while keeping everyone segmenter and secure -- all the while continuing to make money. Organizations with more traditional deployments sometimes miss key points where network controls and security have to be better deployed. Now, this isn't a blanket statement. There are some private organizations that take security into account similar to how the CSPs do it. But not all of them... and I have some big examples in this article already...
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
3/10/2015 | 3:49:05 PM
Re: Security matters are getting forced into forethought rather than an afterthought
I truly agree with it, I am also optimistic, once we implement a better authentication and authorization mechanism such as getting rid of username/password combination we would get rid of major source of security problems. Most of these breach are happing simply because they get a legitimate credential to attack.
Dr.T
100%
0%
Dr.T,
User Rank: Ninja
3/10/2015 | 3:45:02 PM
Re: Security matters are getting forced into forethought rather than an afterthought
Agree. I also like to look at the problem in a little bit simpler way, at the end of the day we want to protect the data, encrypt the data in transit and at rest and do a proper key management and at least you do not have to worry if the data is stolen it would not be compromised.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
3/10/2015 | 3:41:26 PM
Re: Security matters are getting forced into forethought rather than an afterthought
 

Agree, once we put humans out of security equation we can have better chance to succeed in security in cloud and everywhere else. 
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
3/10/2015 | 3:39:03 PM
Full adoption of Cloud is the future
 

Businesses can not continue to keep up with the requirements in their internal networks, they have to outsource all that at one point.  The main reason they could not do it now is because regulations are not responding today's needs. In the future those regulations will ease down, there will be less concerns on privacy and we will eventually reach more secure platforms in the cloud.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
3/10/2015 | 12:12:30 PM
Re: Security matters are getting forced into forethought rather than an afterthought
 Does it work in the cloud? Does it help you reduce cost? Does it help reduce complexity? Is is potentially even more secure to store in the cloud?

Isn't the more meaningful question (to cloud service providers and enterprises) : How would security work in the cloud?....etc. I wonder how many CSPs would have answers that would satisfy infosec?
Bill Kleyman
50%
50%
Bill Kleyman,
User Rank: Apprentice
3/10/2015 | 11:52:20 AM
Re: Security matters are getting forced into forethought rather than an afterthought
@Marilyn - Cloud providers maintain an ever-agile response system. Here's the thing - they built their cloud platforms around dynamic scaling capabilities and secure multi-tenancy. Basically, that's their business model. Because of this - they segment user and customer workloads really well and keep everything isolated. This means they can scale as a user needs more resources while still keeping the architecture secure.

The biggest issues are misconceptions around the cloud. Yes, there are some use-cases which just won't work in the cloud; but even those are becoming fewer. We've seen micro-breaches happen in the cloud. If you recall, we had a console breach against a company being hosted at AWS. In 2014, Code Spaces was basically taken down. But the attack was isolated, no one else was impacted and everyone else ... even on that same server ... was still secure. 

Today - organizations should look at their workloads and do some cloud analysis planning. Does it work in the cloud? Does it help you reduce cost? Does it help reduce complexity? Is is potentially even more secure to store in the cloud? I think it's time some organizations seriously ask these questions -- especially if they hesitated to do so in the past. 
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
3/10/2015 | 10:55:37 AM
Re: Security matters are getting forced into forethought rather than an afterthought
Bill, how responsive are cloud providers to enterprise's concerns about data security, and what are the biggest issues where you see cloud still falling short today.
Page 1 / 2   >   >>
Zero-Factor Authentication: Owning Our Data
Nick Selby, Chief Security Officer at Paxos Trust Company,  2/19/2020
44% of Security Threats Start in the Cloud
Kelly Sheridan, Staff Editor, Dark Reading,  2/19/2020
Firms Improve Threat Detection but Face Increasingly Disruptive Attacks
Robert Lemos, Contributing Writer,  2/20/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-8813
PUBLISHED: 2020-02-22
graph_realtime.php in Cacti 1.2.8 allows remote attackers to execute arbitrary OS commands via shell metacharacters in a cookie, if a guest user has the graph real-time privilege.
CVE-2020-9039
PUBLISHED: 2020-02-22
Couchbase Server 4.x and 5.x before 6.0.0 has Insecure Permissions for the projector and indexer REST endpoints (they allow unauthenticated access).
CVE-2020-8860
PUBLISHED: 2020-02-22
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Samsung Galaxy S10 Firmware G973FXXS3ASJA, O(8.x), P(9.0), Q(10.0) devices with Exynos chipsets. User interaction is required to exploit this vulnerability in that the target must answer a phone call. T...
CVE-2020-8861
PUBLISHED: 2020-02-22
This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of D-Link DAP-1330 1.10B01 BETA Wi-Fi range extenders. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of HNAP login requests. The issue ...
CVE-2020-8862
PUBLISHED: 2020-02-22
This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of D-Link DAP-2610 Firmware v2.01RC067 routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of passwords. The issue results from the ...