Infosec leaders are often proud of the infrastructure they’ve built to protect their organizations. But at a cloud security conference in Toronto recently several experts agreed that’s one of the biggest obstacles to public cloud adoption in Canadian.
“Customers try to come into cloud and drag along all the processes and technologies they use on prem,” Adam Osterholt, a VMware cloud specialist, told the Trend Micro CloudSec conference.
“I can’t tell you how many discussions I’ve had with customers where they first want to move these workloads in the cloud, but still hairpin all of the traffic to the security infrastructure back on premises.”
Many fail to see the security advantages cloud offers, he said, such as the ability to do instance level security. “You’re really missing a lot of the value if you don’t take advantage of that when you start.”
For small and medium businesses, with fewer resources than enterprises, “cloud is the great equalizer,” agreed Matt Hoerig, president of the Canadian branch of the Cloud Security Alliance and CEO of Trustsec Advisory Services of Ottawa. The cloud is where smaller organizations can buy a metered security model that will give them enterprise-sized protection.
Still, a good cloud provider works closely with customers to make sure they understand security is a shared responsibility, said Gladstone Grant, national solution sales director Microsoft Canada Technology Centres.
But he also said organizations that will develop applications for the cloud have to beef up the security in their application development. That could mean adopting the DevSecOps process, where security is embedded in every step of code development.
The complaint that infosec leaders of organizations beginning the move to cloud are still chained to on-prem security was echoed in another session by Doug Cahill, senior analyst for cyber security at the Enterprise Strategy Group.
“One of the things I hear a lot from customers is lack of access to a network tap: ‘I want to plug in my next-generation firewall, my proxy, my network IDS … the cloud service provider does that in a public cloud environment, but in a different way, in a workload-centric way. For example, for firewalls there might be network security groups on a host-based level, or there would be host-based intrusion detection.”
Another problem, Cahill said, is the belief by IT that cloud infrastructure is immutable – it’s elastic, it’s on demand, it’s autoscaling so patching shouldn’t be a problem. But, he said, in a cloud environment patching can’t be done with an application in production. IT has to update the final configuration of a workload and then pour it back into production.
An interim solution can be “virtual patching,” which monitors network behaviour for possible exploits with a host-based intrusion detection system before an app can be updated.
In an interview Cahill said one of the biggest problems with newcomers to public cloud is not realizing there is a shared responsibility: The cloud provider typically is responsible for physical data centre security, physical network security and hypervisor security. The customer is responsible for data, application and operating system security as well as identity and access management.
So, for example, if the customer is signing up for infrastructure as a service (IaaS), IT must first have control over the number of user accounts needed/created, and then understand what services from the provider will be used –what APIs will be accessed, what workloads are being run. That defines the attack surface. With that knowledge the infosec team can apply the security controls (like access management) to mitigate risk.
The possible role of blockchains for cloud security was raised in another session by Dawood Khan, co-founder Capital Blockchain Inc., which develops enterprise blockchain solutions and founder of TransformationWorxs, which helps companies understand the technology.
As a distributed database in the cloud blockchain “changes how businesses operate, their policies, their policies, the way they deliver services, the way they bill for those services, the way customers pay for them.”
For example, he pointed to a startup that – for a fee — takes an organization’s personal information, shreds and, encrypts and stores it around the world on the computers of participants. When the user wants the data, it is re-assembled by the service.
While blockchain can be used in many ways for authentication and data storage, in an interview Khan acknowledged it isn’t a solution for every security problem. But he believes it’s ideal for centrally-stored data, which increases the risk of a data breach, and to audit transactions.