Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
Second Look: Data Security In A Hybrid Cloud
Threaded  |  Newest First  |  Oldest First
1eustace
50%
50%
1eustace,
User Rank: Strategist
3/9/2015 | 2:47:03 PM
Security matters are getting forced into forethought rather than an afterthought
"As much as an organization like Anthem tries to embrace security, its line of business is providing healthcare services. That's where the company makes money. Anthem had to adapt to the times instead of being born in them."

More and more companies are realizing security can no longer be relegated to the domain of "necessary evil" but rather an integral part of survival.  As such more thought is given to security matters during architecture rather than leaving it to budget permiting post-hoc decisions.  Not just services but product manufacturers are also coming to this realization.
Bill Kleyman
50%
50%
Bill Kleyman,
User Rank: Apprentice
3/10/2015 | 10:34:11 AM
Re: Security matters are getting forced into forethought rather than an afterthought
Great thought here! I really think there needs to be a thought process change - a paradigm shift even - where security is approached from an entirely new direction. Cloud providers go out of their way to create powerfully multi-tenant systems capable of isolating and segregating critical workloads. When it comes to the enterprise, even Sony, we see how a single server gets breached containined a plethora of valuable information. 

It's not easy though. Some folks at the top stil see security as a cost, and then a necessity. Moving forward, the organizations that will succeed are the ones that see security as an enabler to business. The cost actually goes into helping users be more productive as well as more secure. Next-generation security concepts go much further than just "securing" your workloads. 
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
3/10/2015 | 10:55:37 AM
Re: Security matters are getting forced into forethought rather than an afterthought
Bill, how responsive are cloud providers to enterprise's concerns about data security, and what are the biggest issues where you see cloud still falling short today.
Bill Kleyman
50%
50%
Bill Kleyman,
User Rank: Apprentice
3/10/2015 | 11:52:20 AM
Re: Security matters are getting forced into forethought rather than an afterthought
@Marilyn - Cloud providers maintain an ever-agile response system. Here's the thing - they built their cloud platforms around dynamic scaling capabilities and secure multi-tenancy. Basically, that's their business model. Because of this - they segment user and customer workloads really well and keep everything isolated. This means they can scale as a user needs more resources while still keeping the architecture secure.

The biggest issues are misconceptions around the cloud. Yes, there are some use-cases which just won't work in the cloud; but even those are becoming fewer. We've seen micro-breaches happen in the cloud. If you recall, we had a console breach against a company being hosted at AWS. In 2014, Code Spaces was basically taken down. But the attack was isolated, no one else was impacted and everyone else ... even on that same server ... was still secure. 

Today - organizations should look at their workloads and do some cloud analysis planning. Does it work in the cloud? Does it help you reduce cost? Does it help reduce complexity? Is is potentially even more secure to store in the cloud? I think it's time some organizations seriously ask these questions -- especially if they hesitated to do so in the past. 
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
3/10/2015 | 12:12:30 PM
Re: Security matters are getting forced into forethought rather than an afterthought
 Does it work in the cloud? Does it help you reduce cost? Does it help reduce complexity? Is is potentially even more secure to store in the cloud?

Isn't the more meaningful question (to cloud service providers and enterprises) : How would security work in the cloud?....etc. I wonder how many CSPs would have answers that would satisfy infosec?
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
3/10/2015 | 3:41:26 PM
Re: Security matters are getting forced into forethought rather than an afterthought
 

Agree, once we put humans out of security equation we can have better chance to succeed in security in cloud and everywhere else. 
Bill Kleyman
50%
50%
Bill Kleyman,
User Rank: Apprentice
3/10/2015 | 4:01:25 PM
Re: Security matters are getting forced into forethought rather than an afterthought
@Dr.T - "Once we put humans out of the security equation we can have a better chance to succeed in scurity..."


That sounds very SkyNet-ish :) We definitely want to place more automation and intelligence into the security layer. However, brilliant security and cloud professionals will always be needed. I have a very dear friend who works as a whitehat for a big security firm. He regularly tests some of the worlds most complex systems out there. In fact, he was one of the people that found a flaw in Blackberry's early OS 10 platform. He also found a backdoor hole in how AWS VM images are shared in a community. 

These guys conduct audits, assessments and much more to keep an environment up and running. For now, advanced persisten threats come from a variety of sources. Sometimes it's a set of zombie servers; and sometimes it's a person conducting a targeted attack. We still need people at the helm to defend against these threats. 
Dr.T
100%
0%
Dr.T,
User Rank: Ninja
3/10/2015 | 3:45:02 PM
Re: Security matters are getting forced into forethought rather than an afterthought
Agree. I also like to look at the problem in a little bit simpler way, at the end of the day we want to protect the data, encrypt the data in transit and at rest and do a proper key management and at least you do not have to worry if the data is stolen it would not be compromised.
xmarksthespot
50%
50%
xmarksthespot,
User Rank: Strategist
3/16/2015 | 7:11:44 PM
Re: Security matters are getting forced into forethought rather than an afterthought
The concept of 'Trust No One' (TNO) is a bulletproof security measure for cloud-based storage.  Encryption is done before uploading to the cloud and decryption after downloading.  With proper encryption, no one can crack the files.  LastPass is a password storing app in the cloud employing the concept of 'Trust No One'.  Google "Trust no one (internet security)" to read more on Wikipedia.org .

This concept only applies where the applications running are at your site.  This article may describing Platform As A Service, or Software-As-A-Service, where encryption is being done in the cloud.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
3/10/2015 | 3:49:05 PM
Re: Security matters are getting forced into forethought rather than an afterthought
I truly agree with it, I am also optimistic, once we implement a better authentication and authorization mechanism such as getting rid of username/password combination we would get rid of major source of security problems. Most of these breach are happing simply because they get a legitimate credential to attack.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
3/10/2015 | 3:39:03 PM
Full adoption of Cloud is the future
 

Businesses can not continue to keep up with the requirements in their internal networks, they have to outsource all that at one point.  The main reason they could not do it now is because regulations are not responding today's needs. In the future those regulations will ease down, there will be less concerns on privacy and we will eventually reach more secure platforms in the cloud.
Bill Kleyman
50%
50%
Bill Kleyman,
User Rank: Apprentice
3/10/2015 | 3:56:57 PM
Re: Full adoption of Cloud is the future
@ Dr.T - I have to say, regulations are certainly changing already. Just look at my AWS example. Similarly, there will have to be a change in how security is delivered at the corporate side. Workload and VM segmentation will have to happen, internal security audits will need to become common practice, and those organizations that can quickly move into the cloud - should consider doing so.

Marilyn asked a great question earlier - How does security work better in the cloud? Well, to begin with, they treat each client as their own seperate entity. They get their own resources, their own pool of space, their own management platform and even their own set of locked down rights. What happens if there is a breach? The limited accessibility really pins down the attacker to doing very limited damage if any at all. The difference is that in the corporate world - one slip up, or one improper setting can impact an entire ecosystem. Cloud providers simply never allow their configurations to reach that point.

Their cost structure allows them to create multi-tenancy, while keeping everyone segmenter and secure -- all the while continuing to make money. Organizations with more traditional deployments sometimes miss key points where network controls and security have to be better deployed. Now, this isn't a blanket statement. There are some private organizations that take security into account similar to how the CSPs do it. But not all of them... and I have some big examples in this article already...


Edge-DRsplash-10-edge-articles
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
News
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Commentary
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-20331
PUBLISHED: 2021-05-13
Specific versions of the MongoDB C# Driver may erroneously publish events containing authentication-related data to a command listener configured by an application. The published events may contain security-sensitive data when commands such as "saslStart", "saslContinue", "i...
CVE-2021-31215
PUBLISHED: 2021-05-13
SchedMD Slurm before 20.02.7 and 20.03.x through 20.11.x before 20.11.7 allows remote code execution as SlurmUser because use of a PrologSlurmctld or EpilogSlurmctld script leads to environment mishandling.
CVE-2020-36197
PUBLISHED: 2021-05-13
An improper access control vulnerability has been reported to affect earlier versions of Music Station. If exploited, this vulnerability allows attackers to compromise the security of the software by gaining privileges, reading sensitive information, executing commands, evading detection, etc. This ...
CVE-2020-36198
PUBLISHED: 2021-05-13
A command injection vulnerability has been reported to affect certain versions of Malware Remover. If exploited, this vulnerability allows remote attackers to execute arbitrary commands. This issue affects: QNAP Systems Inc. Malware Remover versions prior to 4.6.1.0. This issue does not affect: QNAP...
CVE-2021-28799
PUBLISHED: 2021-05-13
An improper authorization vulnerability has been reported to affect QNAP NAS running HBS 3 (Hybrid Backup Sync. ) If exploited, the vulnerability allows remote attackers to log in to a device. This issue affects: QNAP Systems Inc. HBS 3 versions prior to v16.0.0415 on QTS 4.5.2; versions prior to v3...