Why Security Pros Need to Embrace the Cloud
By Jeffrey W. Brown, Chief Security and Information Risk Officer, BNY Mellon
Technology futurists predict that your entire data center could wind up in the cloud. This isn’t a distant vision or far off future state, either. In fact, some big companies, like Netflix, are already there. Gartner claims that by 2020, a corporate "no-cloud" policy will be as rare as a "no-Internet" policy is today. They see companies moving from a “cloud first” strategy to a “cloud only” strategy in the short term. Even the financial industry regulatory authority (FINRA) uses the cloud to analyze some 75 billion trades daily. A financial regulator in the cloud? Is it time for security professionals to panic? Not so fast.
There have been a number of high-profile incidents from clients of cloud services recently, which gives the naysayers plenty of material to feed their view on why the cloud should be avoided. Booz Allen, Viacom, Verizon, some very big name companies have all had issues. Yet when we look at why these issues happened, the theme was more around configuration management than around a fundamentally flawed platform. Still, the number one barrier cited to cloud deployment is security concerns. It should probably be poor IT hygiene.
"Patch management, identity and access management, malware and denial of service are all potential issues for you regardless of where your IT systems reside."
In the above cases, the Amazon Web Services (AWS) S3 service “leaked” data because it wasn’t properly configured in the first place. Logging, encryption, basic identity and access management might have helped prevent these issues. Creating a secure S3 bucket with a single user is dead simple. Anything beyond this scenario needs a more thoughtful deployment approach and a reasonable security model utilizing the principles of least privileged. And we, as security pros, are not going to have a seat at that table if we take the stance that the whole concept is a bad idea.
Not to mention that the facts aren’t exactly supporting that the whole thing is a bad idea. A recent report by AlertLogic, a cloud-focused security company, found that pure public cloud installations experienced fewer security incidents than any other deployment scenario including on premise datacenters. What we’re seeing is that the cloud security infrastructure is actually fairly robust. It’s the applications and general configuration management that needs more attention. It’s not the cloud itself; it’s what we’re putting into the cloud.
That’s not to say that there aren’t real risks in the cloud. But some of these risks exist simply by virtue of being on the internet. Patch management, identity and access management, malware and denial of service are all potential issues for you regardless of where your IT systems reside. Even things like virtualization are not unique to the cloud environment. Other risks, however, do bear some consideration.
One very real risk is that when you are in the cloud, you are in a shared environment. Cloud service providers (CSPs) share infrastructure and applications. If vulnerability arises in any of these layers, it could have an across-the-board effect on everyone. Cloud APIs could also contain yet-to be-discovered vulnerabilities. These are unknown risks, but could have a big impact if they are discovered. Finally, when you’re in the cloud the CSP is not responsible for all aspects of your deployment. Cloud security is a shared responsibility between you and the CSP. A very real risk is in assuming someone else is covering a security control that is really in your court to handle. Understanding roles & responsibilities, data ownership and breach notification obligations should all be handled up front at the contract stage.
Another challenge is that many of our traditional security tools that we’ve come to rely on either aren’t available or don’t work in the cloud. Without the tools to provide deep visibility into the security configuration, our security comfort level remains’ bit cloudy. Cloud deployments require some outside-the-box thinking in terms of how to achieve both security and business requirements harmoniously. It also requires flexibility and learning new technology.
Despite concerns, there is still great promise in the cloud that won’t be found in the traditional datacenter. Using Dev/Sec/Ops principles, there could be automated compliance controls, comprehensive patch management and template-driven system configurations, which are just a handful of those benefits. Imagine being able to deploy a template across your systems that achieves IT system compliance with GDPR, PCI or other compliance requirements in minutes. What’s more, you could prove compliance in minutes instead of months of audit fieldwork. A lot of these tools exist right now, and better ones are on the way.
The benefit of the cloud is no longer just about cost savings and time-to-market, it’s where real innovation will take place over the coming years. With some thoughtful planning and careful attention to the security controls, there’s no reason why we shouldn’t all embrace this future with open arms. Especially the security team.