Kacy Zurkus offers an update on the highs, the lows and the cloudy areas of security challenges in a fast-evolving cloud environment
It’s hard to believe that only four or five years ago, many organizations were hesitant to move even one or two applications to the cloud. Despite the tentative position many companies took about transitioning, most organizations have since embraced cloud computing.
In 2018, more organizations are evolving into more mature users of cloud computing because of their ability to access all of the tools and data they need to perform their jobs from anywhere in the world at any time, greatly increasing user productivity as a result, says Jack Miller, CISO, SlashNext.
Yet this drive to the cloud raises interesting issues from a security perspective. “Cloud computing not only bypasses the traditional perimeter security controls, but it also eliminates our ability to restrict access policies around location and time, which opens us up to many more attacks,” Miller says.
In addition, companies still moving applications to the cloud confront security issues related to legacy systems not working well in the cloud. Meanwhile, other organizations have realized that one cloud is not enough, which has given rise to multi-cloud challenges for security teams that struggle to keep pace with the number of clouds spun up by IT and operations teams.
Couple that with defending against the risks from third-party providers and the potential for malicious actors to hijack accounts, and it’s not particularly clear whether information security in the cloud is any easier today than it was a few years ago.
"Flexibility and agility are now our main goals”
Building Trust in a Cloudy Sky
Transitioning to public cloud infrastructures moved quickly, yet continued adoption and rapid innovation have improved the reliability and availability of core information security services in the cloud.
When companies collectively started using cloud, security protocols had to be established. “Since we were all in the cloud, there was a need to innovate that wouldn’t have happened if everyone stayed in their own ‘on-premise’ world of the past,” says Jeff Costlow, director of security, ExtraHop.
A feature of cloud computing that has helped with information security, according to James Carder, CISO at LogRhythm, is that “cloud providers can focus on developing and implementing stringent security controls in their specific applications, systems and services that are universally applicable to all their customers, without having to look at every company uniquely.”
However, when it comes to cloud security challenges, the issue is one of complexity. In fact, of the more than 300 IT professionals surveyed in the Fugue’s 2017 State of Cloud Infrastructure Operations report, 39% said that security compliance slows them down, with another 29% asserting that the cloud needs to be easier to secure.
Yet, it is arguable that mass adoption of cloud services has returned information security professionals to the days of old when they would visit data centers with punch cards and magnetic tapes to implement programs and provide computing power, says Morey J Haber, vice-president of technology, office of the CTO, BeyondTrust.
“Computers were not our own and were centralized. Today, the cloud is very similar, and the security challenges of the older data centers have not changed that much,” Haber adds. That’s one reason why hybrid environments continue to be a major challenge for information security teams.
Many organizations lack a centralized view of all workloads across all of their environments, which compromises visibility and their ability to effectively manage and enforce security policies.
Bo Kim, senior director, information security at Imperva, says that when leveraging public clouds while still keeping workloads on premise, security teams are faced with major security architecture decisions. Once an architecture is selected and deployed, information security teams need to adjust internal processes to ensure equal visibility and protection across all environments.
“We’ve found that standardization is no longer a viable goal when architecting security solutions in hybrid environments. Flexibility and agility are now our main goals,” Kim says.
"You are still responsible for ensuring that these are configured correctly and the proper controls are implemented for the right level of protection."
Cloud Security Challenges: Myths Versus Realities
Keeping up with the changes in cloud technology is both a financial and security challenge. The 2017 State of the Cloud Survey by RightScale found that cloud challenges had declined, but a few hurdles remain. The most cited challenge among mature cloud users is managing costs (24%). For those organizations that are still gaining cloud experience and growing in cloud maturity, though, the top challenge is security (32%).
Cloud service providers are developing powerful offerings that make it easier to develop applications by offloading complex functions from transcoding media, object recognition in video or photos, and database services to analytic platforms and serverless container solutions, says John Turner, senior director, cloud security at Optiv Security.
In reality, though, these offerings are in a realm of the shared responsibility model that is not well understood from a security perspective and not covered by many security tools.
Many cloud providers host systems, applications and data, but Carder says, “you are still responsible for ensuring that these are configured correctly and the proper controls are implemented for the right level of protection, based on what you are trying to protect, whether that is identity and access management, authentication or encryption.”
Even though mature enterprises reported hybrid cloud as their preferred enterprise strategy, private cloud use has fallen. Many organizations don’t have the expertise on staff to keep pace with innovations in cloud technology, which is one reason why public cloud adoption has grown. Weak configuration and patch management issues will get exposed in the cloud as they would if they were on-premise, says Carder, “except that the problems are amplified by the use of shared infrastructure.”
Misconceptions about security challenges also stem from cloud maturity, particularly when they have to worry about physical security and firewalls, zones, vulnerabilities, patching, privileges and other new and emerging threats. Public cloud infrastructure can be a huge win for security, says CloudPassage CTO and co-founder Carson Sweet.
Cloud providers are able to take more responsibility from the security teams’ plate, which Sweet believes frees up the team to address other issues and provide security at higher levels, making public cloud a more economical option.
“Take DDoS protection in the environment as an example. When they move apps to the cloud, the cloud provider delivers a lot of those DDoS prevention protections. The reality is that Azure or Amazon Web Services provide higher-level services so that all of the customers get that benefit,” Sweet says.
Yet there are common challenges across both the private and public environment, the biggest of which is speed. While the rate of change in the environment is high, the pace of change challenges security. “The work comes in when they make changes because every change has to be analyzed to see if risk has evolved,” Sweet adds.
After all, says Haber, many environments still support x86 architectures developed in the 1980s and are still in use now. “We just need to translate the disciplines we learned over the decades to protect our resources today.”
This includes everything from securing privileged access to vulnerability management. The disciplines have not changed, but techniques and practices have. “Exploring the techniques and best practices from nearly a generation ago will help us avoid making the same mistakes as we implement them in the cloud,” Haber explains.
“Exploring the techniques and best practices from nearly a generation ago will help us avoid making the same mistakes as we implement them in the cloud.”
Using Cloud to Support Information Security
The most notable truths about cloud computing are that cloud is not going away, yet it’s rate of change is so rapid that speed is a top challenge to information security. To best address the frequent changes and use cloud to support information security in the enterprise, it’s important to remember that the technical environment is quite different from traditional data centers.
The perimeter and network security defenses that everyone relied on for a couple of decades are fast becoming obsolete. Extending on-premise security tools to the cloud is not always an option, or the most secure solution. “Infosec teams now have to remain up-to-date with the numerous native security tools offered by public cloud providers, hybrid solutions offered by security vendors and techniques to extend on-premise solutions to the cloud (or vice versa),” Bo Kim points out.
With varying degrees of success, many have tried to adapt the tools that were used in data center environments to work in the cloud. “The challenge is that if you haven’t built the security technology specifically for that environment, the problem will still exist,” Sweet warns.
Organizations that are just beginning their journey to the cloud, having moved only a small percentage of their applications, still have the majority of work in their data center. For these companies, moving to a cloud environment is a five-year journey where they will be managing two different sets of technology.
Managing multiple environments is a more complicated challenge for enterprises because they are moving to the cloud faster than the security teams can learn it. The result is more workloads that are not under verifiable control from a risk and compliance perspective. “The amount of unmanaged information security risk is growing rapidly and organizations are making significant tradeoffs in their business risk models than they are probably unaware of,” Turner says.
Yet, the best part of the cloud, adds Turner, is that it is typically programmatically driven and apps are implemented by code, not hand. In addition, the content security policy (CSP) reports on all of the usage and changes through their APIs. Once enterprise security has the expertise to consume these APIs, they can drive better visibility and compliance.
“Things will continue to move to the cloud – where they get data storage and computer cycles in bulk for the best price,” Costlow claims.
The cloud is efficient and economical, and Miller says we need to implement new security controls built on cognitive computing that are unnoticeable to the end users so that they can fully maximize the efficiencies offered from cloud computing.
Moving forward, we will continue to see the industry swiftly converging on best practices to overcome new and existing challenges to information security in the cloud.