Cloud security: Essential yet complicated
In this interview, Ron Zalkind, CTO and co-founder of CloudLock, talks about the top cloud security threats, illustrates how the power of the cloud can influence the agility of a modern security architecture, explains the main difficulties associated with implementing security policies in both public and private clouds, and more.
Now that the cloud market is mature and the majority of enterprises have embraced what it has to offer, what do you see as the top cloud security threats?
The major cloud platforms, such as Google Apps, Salesforce, Amazon AWS and others, have created highly-scalable and secure platforms. While the risk of an entire platform-level compromise has gone down, the security focus has moved to the most difficult component of a system to secure: the users. While attackers use a variety of attacks, from spear phishing to malware to compromise user credentials, users frequently expose sensitive data through oversharing or misuse.
With BYOX, users self-provisioning third-party apps connected via corporate credentials is another access point for security threats. Access scopes can be quite invasive, including editing, deleting, copying files. This is the cloud shadow IT vs. the network based shadow IT of the on-premises world. This poses a serious threat in the new cloud reality.
There is still the threat side posed by both insiders and outsiders; that doesn’t change, but the attack vectors are new, and sometimes different, in the cloud. Being able to identify sensitive data — used, accessed and shared the right way — that is more challenging given how easy it is to collaborate. Now you need a different form of visibility into where that data it, who it’s shared with and put controls in place to protect it.
Then there is the challenge of quick incident response across different cloud apps you use every day, while at the same time monitoring privileged user management. The security implications are greater when talking about privileged users, from provisioning third party apps in the corporate environment to permissions and even configuration security for PaaS and other cloud solutions.
How can the power of the cloud influence the agility of a modern security architecture?
Security as a SaaS solution is an inherently more agile approach – and one that aligns with modern use of cloud services. Cloud-based security solutions can collect and analyze data across both cloud platforms and customers. Suspicious behaviors can now be detected across companies, which was impossible in the on-premises world. This is, in effect, the “crowdsourcing” of security. Old-style security, such as proxies and gateways inherently lack the agility of modern SaaS security services.
In addition, security solutions that are offered as a service can secure cloud applications and platforms by connecting to them directly. New functionality can be immediately available to all customers across all platforms.
The answer to this is building security as a utility or service from the cloud so that is can leverage the infinite scale and availability. Now the cloud makes it easy to bake in security into everyday life — users, security, apps, programs — and even developers as they envision the apps they build.
The way I look at it there are the apps we use — better security, always there, scale with us, don’t disrupt the users — built as a utility for the cloud. Then there are the apps we buy, with the ability to integrate into the same stack with ease, and then baking security into homegrown apps. And lastly there are the apps we sell, which have parallels to areas we are familiar with IDaaS, 2-factor as a service, etc. — the ability to make security easy and scalable presents new opportunities to integrate into the apps you sell to discover new opportunities out of that integration.
What are the main difficulties associated with implementing security policies in both public and private clouds?
Policies come in different flavors: those built-in by the security vendor and those that are customized to an organization’s specific environment and needs. One advantage of using cloud-based security services is that new policy templates can be immediately available to all customers, without requiring a costly and time-consuming upgrade process. On-premises, proxy-based approaches can break cloud functionality, while inserting scalability issues and a single point of failure to cloud computing.
The main challenge is that they don’t have the resources (FTEs, etc.) now. Addressing the new challenges and leverages the latest technologies that are out there is not possible. And that may require some level of alignment in security organizations. However, with some security solutions available as a service, it’s a way to offload those responsibilities and consume them as utility.
In the past few years we’ve seen a number of revelations that exposed the capabilities of the U.S. surveillance machine. What’s your take on businesses increasingly placing their trust in cloud providers with infrastructures located outside of the United States?
This is an extremely difficult question with no easy answer. Businesses will continue to change their behaviors to best protect their interests, and laws and legal frameworks for sharing information between governments will continue to adapt. As recent news reports have shown, government surveillance is not limited to the U.S. Many European countries have adopted vast information-gathering networks that rival what is being done in the United States. Choosing a cloud service by geographic location may be important to many businesses today, but time will show that the impact of the data center location may be less than what is expected.
A trend that we’re seeing is not necessarily to look at these as vendors that offer these solutions outside of the U.S., rather, it’s the options, or lack thereof, to implement some controls over sensitive data specifically, such as encryption. Encryption is not a silver bullet; that’s not what I’m saying. I’m referring to the ability to selectively encrypt the most sensitive data; not all of the data. There is an inherent balance of user disruption and convenience of access, while retaining or providing control to the customer so that they can ensure not just anyone can read their sensitive information. Applying some additional risk-based controls over that data is a trend I think can help.
The legal landscape is changing and we want to make sure that we can enjoy the security that these vendors baked into their environments and not be pushed away from them since they have the best infrastructure out there.