Cloud security, like dating, isn’t really about love; it all comes down to trust. That’s according to Jay Heiser, a Gartner Research VP who hosted a recent webinar on keeping your cloud situation safe.
You may love your cloud service provider (CSP) for all sorts of reasons. Awesome SLA! Bargain rates! 24/7 support! That doesn’t mean you can trust the security of their cloud service.
Heiser pointed out that by using public cloud, for example, an enterprise exposes its own network to thousands of third-party risks it has absolutely no control over.
“The challenge is in determining how secure all of these external parties are that we have an intimate relationship with … It’s a bit like going on a date and getting a certificate from your potential partner that they are free of disease.”
“While it’s understandable,” he continued, “that we want to know how secure everyone else is, it’s not practical for any organization — even the very largest organization — to conduct full-blown risk assessments on a large number of external parties.”
If organizations can never get a 100 per cent guarantee of cloud security, what can they do? Heiser offered up some helpful recommendations.
Quit doubting public cloud
Despite third-party risk exposure, Heiser said there’s actually no hard evidence that public cloud providers are less secure than in-house implementations.
“(Public cloud) has proven to be a sustainable form of computing and while there have been a number of concerns and security mistakes that have been made, for the most part it’s been a sustainable experience and seems to be improving.”
Size up your CSP
Don’t assume all cloud providers are the same — or offer the same level of security. “We should not approach all cloud service providers as if they are a single quantity. We need to adjust the level and form of effort to the circumstances of the cloud service provider,” Heiser said.
A quick way of gauging security risk is to figure out which tier your CSP belongs to. If your CSP belongs to what Heiser calls Tier 1 (a large, multibillion-dollar provider with more than 10 years’ experience offering multi-tenant cloud service) it’s probably undergone several third-party security evaluations. There are only about 15 Tier 1 CSPs worldwide, Heiser estimated, and their security risk is fairly low.
Let’s skip over to Tier 3, comprised of small and relatively new CSPs. Heiser said these providers may not be financially stable, let alone secure, so they carry the highest risk level.
That leaves Tier 2, which most CSPs fall into. Tier 2 providers have five or more years of successful business experience, offer many SaaS-based apps and “perhaps have undergone a third-party security evaluation,” Heiser said. These carry a medium degree of risk.
Protect virtualized workloads
Many virtualized environments have embraced DevOps. But one of the difficulties with DevOps is that there’s no standard consensus about the ‘right’ way to approach security.
That’s because developers in a DevOps model operate with a lot of autonomy and privileges — including the authority to set firewall permissions. Heiser says this is great for writing and releasing new code, but challenging when you’re doing that inevitable security thing.
Your best bet for security in a virtualized DevOps environment is to hone in on protecting workloads, Heiser said. The most important strategies in workload protection include operations hygiene, hardening/configuration/vulnerability management, system integrity monitoring and management, application control/white listing and exploit protection/memory protection.
Less important workload protection strategies, he said, are IaaS data at rest encryption, server workload behavioral EDR (endpoint detection and response) behavioral monitoring and HIPS (host intrusion prevention system) with vulnerability shielding.
Safeguard SaaS data
SaaS can bring quite a few security risks into an enterprise, Heiser said, namely shadow IT.
“SaaS is primarily under the control of end users. If we don’t put technical blocks in place, an individual or department can go procure whatever they want and just use it. Plus, the code stack is under the control of the provider … There’s not much transparency so it’s difficult for us to know what’s being done with that code.”
As with the CSP tiers, Heiser breaks down SaaS security safeguards into three distinct categories: key, recommended and optional. He lists “key” security controls for SaaS applications as email encryption, network access encryption, anti-spam malware scanning and auditing/logging/alerting.
His “recommended” security controls for SaaS (not must-have but advisable) include DLP (data loss prevention) tokenization, usage reporting, adaptive access control, content sandboxing and enterprise log integration. His “optional” safeguards are data encryption at rest RMS (rights management services), high-trust authorization for administrators and UEBA (user and entity behavioral analytics).
Heiser’s approach boils down to assessing your cloud risk in a realistic way, then creating priorities for tackling each one. The biggest step is to take responsibility for your cloud safety instead of laying it all at the foot of your provider.
“Really our overall message is that it is your responsibility,” Heiser said. “We can’t just assume that clouds are secure. We can assume that it gives us an opportunity to be more secure than in the past if we choose to take appropriate utilization of that opportunity.”