Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operations

11/14/2016
07:30 AM
Larry Biagini
Larry Biagini
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Learning To Trust Cloud Security

Cloud-centric computing is inevitable, so you need to face your concerns and be realistic about risks.

After more than 35 years running IT for large enterprises, I've lived through various IT technology shifts: mainframe, client/server, RISC, CISC, etc. But early on in the development of the cloud, I recognized that the shift to becoming a cloud-enabled business is different.  

In enterprise IT, cloud security remains a topic of contention. Many IT and security leaders fear that a move to the cloud could cause problems, such as losing control of sensitive data. While concerns about risk are understandable and need to be addressed, they're often misplaced.

It's time businesses are honest with themselves about in-house capabilities before dismissing security in the cloud. Traditional enterprise security is based on perimeter controls — a model that was designed for a world where all data, users, devices, and applications operated within the perimeter and within the security controls. But as today's users blur the lines between activity inside and outside the perimeter, that model falls short because the perimeter is too big. I'd even say that in any mid- to large-size enterprise, there are more devices, users, and entry/exit points than the company knows about.

Cloud-centric computing is inevitable because the network, not your network, is just a conduit to allow access from trusted requestors to trusted resources. You will provide resources to those that you trust, when they need them and where they need them. The perimeter that will need protecting will be very small and contain services and properties that are critical to your business but not users. Users consume resources but are never on the cloud provider's core network. If they were, their perimeter could not be protected. Asyou evaluate security in the cloud, be realistic about the risks because deferring the transition to cloud services is itself a risky proposition.

Your Business Already Relies on the Cloud
What kinds of companies are leveraging the cloud today? Yours, for one. Even if you don't officially sanction any cloud services or applications, your employees are using them. So are your customers, suppliers, and business partners. Services that support file sharing, online collaboration, storage, and other daily activities are all hosted in the cloud. There's no getting around the fact that data is already being generated and shared there; business transactions are also happening and new business models are emerging.

The primary drivers for cloud adoption are speed, agility, and cost containment. For me, speed is the new currency. Business won't wait for anyone or anything, and IT is no exception. Because of lingering security concerns around control and reconfiguration, many businesses still rely on the private cloud model or use a hybrid approach that retains mission-critical data and applications on-premises. This is necessary in some cases, but not in most. If you allow the some to become the all, you'll be missing the train and your business will leave the station without you. For many, it already has.

In the cloud, software providers can immediately update or upgrade customers. Cloud security providers are similarly able to identify and patch threats and vulnerabilities across thousands of companies at record speed, thanks to the benefit of multitenant cloud architectures.

Financial institutions, for example, will want to maintain their "crown jewel" applications in their own data center, but when it comes to new applications, building infrastructure to maintain a Web application or mobile application simply makes no sense. Companies such as Betterment and Kabbage are using financial technology to push the limits on traditional banking, leveraging a user interface that appeals to the customer and allows those businesses to operate without the huge infrastructure of traditional finance organizations.   

Plan for the Journey
As you begin your journey, enlist the help of public cloud and software-as-a-service providers. Learn how they think and operate. Check the "us vs. them" attitude at the door and be realistic about your own capabilities. Their reputations rely on their ability to execute, and to do it securely. There's a reason the National Security Agency, for example, turned to Amazon Web Services to build the NSA cloud — instead of attempting it on its own.

It's OK to learn as you go. Many organizations have approached the move to the cloud as they would any major IT transition. They analyzed it and tried to glean as much as they could about the cloud and how it's provisioned, managed, and secured. That's not all bad, but the traditional vetting and risk processes slowed them down. Ultimately, the lesson learned has been: just do it. Don't let outdated notions around security stand in your way to modernize.

So start with taking your low-risk apps — you probably have hundreds — into the cloud. As you take that first step, you'll begin to see dividends in production, efficiency, and cost, and they will only increase over time.

The Cloud Makes You More Secure
Once you get past the initial holdups, the cloud opens a massive opportunity to keep your users, applications, and data safe, thanks to the benefits of shared threat protection. You will need to hire talent that eats, sleeps, and breathes cloud to supplement your current workforce, but you will no longer be locked in competition for infrastructure, networking, and security talent with the likes of Amazon, Microsoft, or Google.

You don't have to make the entire jump at once. You can merge cloud services and applications into your existing infrastructure, chipping away at the legacy stack a little at a time. Trust those who understand the cloud, and hire people who know how to secure and take advantage of it; a few key people can have a multiplier effect. Just ensure that they are apprised of the future strategy of your business — it's a joint growing process. In the end, it's all about trust.

Cloud transformation is a business transition fueled by technology. If, like me, you see that there is no going back, the best thing you can do for your business and your own IT organization is to start now.

Related Content:

Dark Reading's all-day virtual event Nov. 15 offers an in-depth look at myths surrounding data defense and how to put business on a more effective security path. 

Larry Biagini is chief technology evangelist at Zscaler, where he focuses on helping customers and partners better plan and execute their inevitable move towards expanding their use of cloud services. Biagini recently retired as vice president and chief technology officer of ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
nosmo_king
100%
0%
nosmo_king,
User Rank: Strategist
11/14/2016 | 8:33:56 AM
Too many assumptions
The author assumes that an organisation can 100% rely on internet connectivity, 100% of the time from 100% of locations.

As the DYN outage proved, that is simply not the case.

Therefore determining just how business critical certain functions and data are to the enterprise should be a guide as to where those functions and data are located.

The author also assumes that all cloud providers are created equal, or that all cloud based services are operated by AWS, Azure or a similair tier-one provider.

In truth most cloud services are offered by second and third tier providers, who in most cases do not provide their own infrastructure, backups, support, help desk etc.

Understanding the entire kill chain of your potential cloud provider is critical to be able to make a logical decision about whom to trust with what under what terms and conditions.

 
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
Hacking Yourself: Marie Moe and Pacemaker Security
Gary McGraw Ph.D., Co-founder Berryville Institute of Machine Learning,  9/21/2020
Startup Aims to Map and Track All the IT and Security Things
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15208
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, when determining the common dimension size of two tensors, TFLite uses a `DCHECK` which is no-op outside of debug compilation modes. Since the function always returns the dimension of the first tensor, malicious attackers can ...
CVE-2020-15209
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, a crafted TFLite model can force a node to have as input a tensor backed by a `nullptr` buffer. This can be achieved by changing a buffer index in the flatbuffer serialization to convert a read-only tensor to a read-write one....
CVE-2020-15210
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, if a TFLite saved model uses the same tensor as both input and output of an operator, then, depending on the operator, we can observe a segmentation fault or just memory corruption. We have patched the issue in d58c96946b and ...
CVE-2020-15211
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, saved models in the flatbuffer format use a double indexing scheme: a model has a set of subgraphs, each subgraph has a set of operators and each operator has a set of input/output tensors. The flatbuffer format uses indices f...
CVE-2020-15212
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 2.2.1 and 2.3.1, models using segment sum can trigger writes outside of bounds of heap allocated buffers by inserting negative elements in the segment ids tensor. Users having access to `segment_ids_data` can alter `output_index` and then write to outside of `outpu...