In anticipation of the upcoming Cloud Security Summit set for Jan. 17 in Toronto, ITWC CIO Jim Love sat down recently with Upa Campbell, Vice President of Marketing for Palo Alto Networks to discuss the evolution of cloud security.
In these excerpts from their conversation they talk about moving from the current, and perhaps problematic, state of siloed security applications to the integrated and intelligent security necessary to protect our organizations in the coming years.
Jim Love, CIO, ITWC: You’ve talked with me before about the move from what you’ve termed “Cloud Security 1.0” to the new 2.0 version. Can you first share with me what the 1.0 version of Cloud Security is?
Upa Campbell, VP Marketing, Palo Alto Networks: Let me actually start with a definition of what I mean when I say cloud. It’s a very broad term. Cloud means a lot of things. When people say cloud, they may be referring to the public cloud, meaning IaaS (Infrastructure as a Service) or PaaS (Platform as a Service). These are the Amazons and the Azures and the Google Cloud platforms of the world. Or they could mean private cloud. Or they could mean SaaS (Software as a Service) applications such a Salesforce.com or Office 365. Or maybe, they are talking in general about surfing the Internet.
If you are talking about “Cloud Security 1.0,” you’re talking about products that are used to secure one or many of these different forms of cloud. From my point of view, over the last 10 years, there are a number of products that have been developed to secure one or more of these areas of cloud. So, they are point products, effectively. But there isn’t a solution today that solves all of cloud security. That’s why I call these solutions that are point products, “Cloud Security 1.0”.
Jim Love: What you have often is a mishmash of different solutions. How do you sort that out?
Upa Campbell: I think the key lies with your level of responsibility for each. When you think about private cloud, you have control of that data centre where you are hosting your own custom applications. You can install your own firewall, typically a virtualized firewall. So, you are responsible for securing pretty much all of it: the network, the assets within it and the users that are accessing this private data centre or private cloud.
After private cloud, the era of SaaS applications (Software as a Service) arrived. The Salesforce.coms of the world came around and said, “Hey, instead of these custom applications in your data centre, we’re going to host it for you.” So, all of a sudden, the responsibility for security changes. They are going to take care of securing the physical servers that they are hosting in the cloud to run these applications. The responsibility for the organization is that they have to secure the data that’s within the application and they have to secure the people who are accessing these applications.
More recently, you’re seeing the shift to the public cloud, like the Amazons, the Azures and the Google clouds of the world. There, your responsibility is different. They talk about a “shared responsibility model”. In the public cloud model, specifically when it comes to PaaS (Platform as a Service), they’re hosting the service and you’re responsible for the usage of that service. Or if you are using IaaS (Infrastructure as a Service), they’re hosting the servers, but you’re still responsible for who is using these servers and the network traffic between the servers.
Jim Love: You have an option of configuring the servers, even to the point of “dropping” the security, which is where I think most of the well-known disasters have happened. This shared responsibility model gets far more complex than anybody wants to think.
Upa Campbell: To that end, because the responsibilities for security are different in each of these types of cloud technologies, the types of cloud security or the strategies that you apply are different. For the private cloud, you can have VM based firewalls to protect your private cloud instance, but when it comes to SaaS applications, we’ve heard of this class of security technologies called CASBs (Cloud Access Security Brokers) that protect SaaS applications. The focus of these applications is to do data protection or things like DLP (data loss prevention) and encryption. That’s another type of cloud security technology. When you protect the public cloud, it’s a whole different ball game. You’re typically using an API based strategy and looking for misconfigurations, malicious user behaviour or crypto-mining within these public cloud environments. These are different types of security threats. And you have to take different approaches to security.
Jim Love: So you have these different approaches to security. This is our “Cloud Security 1.0,”, a mishmash of different things, and we can’t treat them all the same. What are the other weaknesses or gaps in this model that you see?
Upa Campbell: When it comes to the “Cloud Security 1.0” model, the strength is the individual solutions. You have CASBs to protect SaaS and you have secure web gateways that protect you as you browse different websites. They focus on solving one specific problem very well. To solve all of cloud security, you need to put all of these products together. But then you have an overlay of security products, one on top of the other and this can lead to complexity and a poor user experience if you are chaining these services with one another. The third thing is, if you are not protecting every aspect of the cloud, you can end up with a gap in coverage. You might actually have blind spots.
So, we need to start thinking more holistically and take more of a platform approach.
Jim Love: I think I understand how the gaps in security can happen. But can you give me an example of how this can create a poor user experience?
Upa Campbell: You could have a secure web gateway that protects users as they surf websites. Then specifically, you may want to control what users do within a sanctioned application, such as Salesforce. So you will implement a CASB. Now, you have a secure web gateway and a CASB and you are overlaying them, one on top of another and it creates a really poor user experience.
Jim Love: What scares me the most is the human factor. If you have poor passwords and if someone gets in with these credentials and makes off with a lot of your data, who would know? You might not spot if for weeks.
Upa Campbell: I think people have to take a different approach, because you can’t put a firewall in front of a SaaS application. So what are your options? You can say, I have users accessing my applications and I need a way to spot abnormal user behaviour. Let’s say I access Salesforce and I typically look at my accounts and contacts, but one fine day I go into Salesforce and I start downloading a lot of records. That is not my normal behaviour and that should be flagged as suspicious. It could be an indication that I’m leaving the company.
You need to have the ability to monitor user behaviour. We have this class of technologies called user behaviour analytics, based on AI, so whenever it sees a deviation from normal behaviour, it flags it as risky. You have to employ different security strategies to detect risk.
Jim Love: I think you’d agree with me that the promise of AI or behavioural based security is really the future, as opposed to the “signature-based” world where I’m going to look for things that I can identify and watch for them. If I’ve heard you correctly, “Cloud Security 2.0” means being able to apply this to all of the different types of cloud in one single view.
Upa Campbell: Let’s imagine that you have a developer that is about to leave the company. Suddenly, this developer is going to websites like Zip Recruiter. Now that tells you something. But also, all of a sudden that person is starting to download repositories from SaaS applications, trying to take things with them when they leave. Maybe, they are using the company’s public cloud and posting some confidential documents in a public cloud storage like an Amazon S3 bucket or an Azure blob. Then they set the permissions in the storage folder to be public so that when they leave the company, they can access those documents.
And so, if you were going to figure out how you detect this malicious behaviour, because it’s not the developer’s usual behaviour, you may spot the different website visits because you have a secure web gateway that monitors web activity. You may get some alerts. Similarly, you might spot the unusual web application behaviour because you have a CASB in place. And separate from that, you might have what Gartner calls a CSPM (Cloud Security Posture Management) and that will monitor what I’m doing within public cloud services. And that may generate some alerts when I put that data in the storage bucket and expose it to the public. All of these separate security applications can alert me that there is something wrong, but there is no one source that brings all this information together and correlates it. And that’s what you need. You need a single platform, which is what we are calling “Cloud Security 2.0,” that brings all of this together and analyzes it holistically and says, “Hey, when you look at the behaviour across all of these different technologies, we see a pattern that is suggesting something bad is about to happen.” The behaviour is not normal, so it merits an investigation. It’s that holistic view that is missing today.
Jim Love: What you have just described makes it crystal clear to me why so many companies do poorly at security. Even if you have all of that, making sure you have it all right and you don’t have anything fall between the cracks is an enormous responsibility with a lot of skill and a huge knowledge base required.
Upa Campbell: And that’s the problem we see. In the on-premises world particularly, there are all of these products, literally thousands of them, and they all solve a specific problem. But now it’s your responsibility to take the data from all of these different applications and stitch it together to get the holistic approach necessary to detect these sophisticated threats. That’s already a problem in the on-premises world and now, our thesis is that this is what’s happening in the world of cloud security. Cloud security is relatively new, but we are seeing all of these cloud security solutions starting to appear. And we are going to be in exactly the same state for cloud security as we are for on-premises security with siloed products that are looking at a specific problem.
Jim Love: We’ve always had a problem with best of breed solutions. How do I bring them together? But that’s become even more of an issue with the cloud.
Upa Campbell: That’s what Palo Alto Networks has been doing. We have all of these aspects of security through acquisitions. We have all of these, but our vision is to not just offer them separately but to stitch them together into a single platform where they work together. And that is what we are calling “Cloud Security 2.0.”
If this discussion made you think about where security is going, please join Jim and Upa at the Cloud Security Summit in Toronto on January 17. The event will feature a host of experts and IT leaders who will continue this exciting discussion about how to take Cloud security to the next level.