Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cloud Security

Retooling Security for the Cloud Age

Enterprises Should Insist That Cloud Providers Give Visibility Into Their Security Processes and Controls to Ensure Confidentiality, Integrity, and Availability of Data…

Enterprises Should Insist That Cloud Providers Give Visibility Into Their Security Processes and Controls to Ensure Confidentiality, Integrity, and Availability of Data…

In their eagerness to adopt cloud platforms and applications, organizations often neglect to recognize and address the compliance and security risks that come with them. The ease of getting a business into the cloud – a credit card and a few keystrokes – combined with service level agreements provides a false sense of security. However, shortcomings in the cloud providers’ security architecture can trickle down to customers that leverage their services in the form of power outages, data loss, unauthorized disclosure, data destruction, copyright infringement, brand reputation erosion. So what steps should organizations take to retool their security practices for the cloud age?

Over the last few months we reached two major milestones in the young history of cloud computing. On January 1st we celebrated the 30-year anniversary of the Internet, which has irrevocably changed the way we conduct business and collaborate. This was followed by the 15-year mark for Salesforce.com, a company that not only disrupted the software world with new models for technology, business, and philanthropy, but more importantly proved that organizations were willing to place their sensitive information in the cloud.

Cloud Provider SecurityBecause it allows enterprises to deploy IT resources quickly, cloud computing is rapidly replacing conventional in-house infrastructure at companies of all sizes. According to IDC (“IDC Black Book 2013”), by 2020, cloud computing will represent nearly 30% of all IT spending.

However, the push to the cloud is often led by business stakeholders trying to respond more quickly to changing market dynamics by taking IT matters into their own hands. When business units procure cloud-based services without IT’s knowledge, these “rogue applications” or “shadow IT” increase security risk. According to Cisco Consulting Services (“Impact of Cloud on IT Consumption Models”, Cisco 2013), 46% of North American IT leaders are seeing an increase in rogue purchasing by business teams. This number increases to 73% in the Asia-Pacific region. This creates new challenges for IT and security professionals, including but not limited to:

• Unknown security and compliance vulnerabilities;

• Misalignment of systems and internal policies;

• Inconsistent service level agreements; and

• Lack of visibility of security controls.

While cloud providers may have service level agreements in place, security provisions, the physical location of data, and other vital details may not be well defined. This creates a blind spot for organizations, especially those that must comply with contractual agreements, regulatory mandates, and breach notification laws for securing data.

Whether organizations plan to use public or private clouds, better security and compliance is needed. To address this challenge, it is necessary to institute policies and controls that match those used in data center environments. Third-party IT environments need to be as secure as their on-premise counterparts – especially if they can impact business performance and valuation.

Last year’s cyberattacks and associated data breaches of Zendesk and Evernote are prime examples of why companies need to implement a comprehensive risk and compliance plan that encompasses third-party cloud environments. Organizations should insist that cloud providers give them visibility into their security processes and controls to ensure confidentiality, integrity, and availability of data. Practically speaking, this would include the ability to assess security standards, trust security implementations, and prove infrastructure compliance to auditors.

As part of a Cloud Readiness Assessment, organizations should evaluate potential cloud service models and providers. This should include an assessment of certifications (e.g., SSAE 16) as well as security practices (e.g., assessment of threat and vulnerability management capabilities, continuous diagnostics and mitigation, business continuity plan), compliance posture, and ability to generate dynamic and detailed compliance reports that can be used by the provider, auditors, and an organization’s internal resources.

Risk Management IT Threats

Given that many organizations use a heterogeneous cloud eco-system that can span infrastructure services, software providers (e.g., cloud management, data, compute, file storage, and virtualization), and platform services (e.g., business intelligence, integration, development and testing, as well as database), it is often challenging to gather the above mentioned information in a manual fashion. Thus, automation of the vendor risk assessment might be a viable option.

Following the guidelines developed by the Cloud Security Alliance, a non-profit organization that promotes the use of best practices for security assurance within cloud computing, organizations should perform both an initial Cloud Risk Assessment and continuously monitor cloud operations for new risks.

A portion of the cost savings obtained by moving to the cloud should be earmarked for monitoring cloud service provider’s security controls, and ongoing detailed assessments and audits to ensure continuous compliance.

If possible, organizations should consider leveraging monitoring services or big data risk management software to:

• Maintain continuous compliance monitoring;

• Segregate and manage virtualization provisioning;

• Automate the implementation of CIS benchmarks and secure configuration management; and

• Monitor new threats via data feeds from zero-day vendors such as Verisign and the National Vulnerability Database (NVD) as well as vulnerability findings from virtualized scanners.

While few cloud service providers currently offer capabilities for risk-based security management and continuous diagnostics for compliance, they may soon be required to do so in order to establish trust and maintain a competitive advantage.

Written By

Torsten George is a cybersecurity evangelist at Absolute Software, which helps organizations establish resilient security controls on endpoints. He also serves as strategic advisory board member at vulnerability risk management software vendor, NopSec. He is an internationally recognized IT security expert, author, and speaker. Torsten has been part of the global IT security community for more than 27 years and regularly provides commentary and publishes articles on data breaches, insider threats, compliance frameworks, and IT security best practices. He is also the co-author of the Zero Trust Privilege For Dummies book. Torsten has held executive level positions with Centrify, RiskSense, RiskVision (acquired by Resolver, Inc.), ActivIdentity (acquired by HID® Global, an ASSA ABLOY™ Group brand), Digital Link, and Everdream Corporation (acquired by Dell).

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

Application Security

Many developers and security people admit to having experienced a breach effected through compromised API credentials.

Cloud Security

Microsoft and Proofpoint are warning organizations that use cloud services about a recent consent phishing attack that abused Microsoft’s ‘verified publisher’ status.

Risk Management

A threat-based approach to security often focuses on a checklist to meet industry requirements but overlooked the key component of security: reducing risk.