Cloud service providers, the theory goes, will be able to provide better security than enterprises can muster because their scale will enable them to hire the best experts and employ the latest technology. But others say if you’re really concerned you’ll keep it in house, that cloud represents a fundamental risk.
CTO of Cloud Security Strategy at IBM Security Solutions, says the false sense of comfort organizations gain from keeping security within their own four walls can lead to poor monitoring and over zealous trust. View debate
Executive Vice President of Product Operations at BeyondTrust, says the same virtualization layer that makes clouds possible creates an additional layer of risk for any cloud-based service. View debate
Leave security to the experts
The outdated concepts of yesterday's security model focused on building walls around data to keep “the bad guys” from gaining entry. But today, organizations realize they also face threats from within. In just the last year, nearly half of all breaches were caused by insiders -- either by accident or malice.
Clearly we are witnessing a security landscape that is evolving and becoming ever more sophisticated. To that end, organizations must shift their security strategy if they want to stay ahead of the threat. Housing data within the perimeter of an organization, as many businesses have been inclined to do over the years, is no longer the only -- or even the safest way -- to protect confidential information.
In fact, we believe the cloud holds the promise of being more secure than traditional computing models. The false sense of comfort that organizations gain from keeping security within their own four walls can lead to poor monitoring and over zealous trust -- a challenge that by its very nature does not exist in outsourced activities such as cloud.
Working with a skilled vendor that has the capabilities and knowledge to help make cloud computing a reality is the most secure way for any company to protect their data. To qualify the argument let's look at the key factors the cloud offers organizations which result in the opportunity for greater comfort in security:
* The myth of the cloud is you take your data and give it to a third party -- an over simplification of cloud adoption. In reality, as organizations move to cloud technology they do so in very a deliberate fashion, often determined by the specific purpose or work they want to accomplish. This results in organizations having increased awareness of their data and information, so they are focused on identifying and providing specialized protections for critical or sensitive information. For instance, clients who have collaboration and e-mail in the cloud need to think about access and policy controls, while clients focused on healthcare in the cloud need to be concerned with data isolation and encryption.
* The cloud offers the ability for organizations to centralize their cloud management and augment their offerings with security as a service. Why is this important? Well, the threats to organizations increase every day. Attackers have new techniques and insights into obtaining access to organizations’ information, so these services often provide access to the latest thinking and protections in a timeframe significantly accelerated over that of traditional environments.
* Cloud vendors who focus on workload driven security have the ability to focus their attentions on securing one thing very well as opposed to attempting to apply a general security paradigm with a broader threat surface. In addition, most large cloud vendors have greater financial capabilities than traditional environments, and see security spending as a business value differentiator, not just an expense.
* There is a deficit in skilled security professionals, and organizations struggle to find the skills they need to address their security needs. In fact recent skills reports found that information security positions experienced a 109% growth over last year, despite overall lagging IT employment numbers. Security is and has always been hard, and the fact organizations will struggle to hire and retain security experts means that emerging technologies and organizations with large finances will get the lion’s share of skilled resources.
When organizations take an unemotional look at security and the concerns they have about protecting their data, they often realize that their resistance to cloud technologies is not based on pragmatic factors, but rather on their own misconceptions and idea of trust. When organizations look beyond these factors they will realize that, not only does cloud computing offer the opportunity to achieve greater security of information, but also financial benefits and access to world class security expertise. This will be especially alluring for small and mid-sized businesses, which need the same levels of security larger competitors benefit from.
IBM provides an extensive portfolio of hardware, software solutions, professional and managed services offerings covering the spectrum of IT and business security risks.
Not at this pace
The real question isn't whether your cloud vendor can provide better security, but whether they actually will. According to surveys by the Poneman Institute and IDC, security is the top concern associated with the cloud, yet only 23% of cloud customers require proof of compliance from their vendors. Additionally, 62% of executives don't trust their ability to protect data in the cloud, yet only 20% regularly involve the security team in the cloud decision-making process.
While cloud vendors often have larger scale operations that imply the potential for more resources and expertise to protect your data, that potential will only be realized if customers provide the oversight, funds and service level requirements to make sound security processes a good business decision for the vendors. This entails security teams getting more involved, companies allowing security to influence buying decisions and insisting on regular reporting on security processes and service-level agreements.
Additionally, there are some areas, like insider threat and administrative privileges, where using a cloud vendor will always represent greater risk. These risks are exacerbated by the lack of best practices.
Customer beckoning critical
Corporations evaluate security investments based on risk metrics. If you're Goldman Sachs, the chances of an internal employee trying to steal your proprietary code that runs the company's high-volume trading platform is a colossal risk. The code is worth millions and an empire of stock-trading has been built on it.
Goldman's precautions in protecting that data paid off when an ex-programmer was caught trying to steal the code with, what appears to be, the intent to sell it to a competitor.
If a cloud vendor were hosting that code on their servers, how would their security motivation compare? What if it was the cloud vendor's own programmer that stole the code? Wouldn't their risk motivate them not to tell the client? Corporations have pieces of data where billions of dollars are at risk. How can they entrust that to a vendor that they haven't even verified security processes with? The series of recent breaches at McDonalds, Honda and Walgreens should be a testament of the damage that can be done by a single weak link at a third-party vendor.
Cloud vendors need to be motivated by their customers to invest in security, because their own risk metrics don't justify the expense. Today this isn't happening.
The Insider Threat
The same virtualization layer that makes clouds possible creates an additional layer of access to be controlled – the hypervisor – which only the cloud vendor can protect. The truth is virtualized data can be stolen by anyone with administrative access through a simple 5-minute trick (see a video), where security precautions and monitoring tools can be circumvented using the hypervisor.
We did a small informal survey at VMworld and found that 93% had virtualized at least some mission-critical data, but over 70% felt one of their colleagues might be able to steal that data if they wanted.
Studies like the 2010 Data Breach Report and the 2010 Cybersecurity Watch Survey verify that insider breaches cost more and happen more often, because insiders have special access and know-how. Nobody has more of those two things than the IT team itself.
Contending with the insider threat requires the same tools and processes already in place in corporate data centers – you have to set standards and audit them. Does your cloud vendor have SAS 70 type II certification? Do you verify their controls with on-site visits? Corporations have to enforce SLA violations with real penalties. Customers need to take control of their cloud environment, protect privileged account credentials – especially businesses like Amazon, where individual developers will likely also have a credit card account with the company.
If we want cloud vendors to be secure enough to protect our corporation's most sensitive data, then cloud customers have to insist on it, communicate their requirements, oversee the controls, ask for reports and ultimately take responsibility for the security of their cloud vendor.
Today we're just not there yet and the technologies to support this are just emerging. For now and the foreseeable future, cloud vendor priorities will be aligned with those of their customers – reducing cost, workload and deployment time while providing new levels of scalability. Some of these priorities are at odds with the time and money resources required to do proper security.
If you are going to move some processing to the cloud, I would encourage you to prioritize and oversee security at your cloud vendors, insist on reporting and improve protections of even less sensitive data, even if your crown jewels are still safe at home on your own servers.
BeyondTrust develops, markets and supports a suite of access control products that protects hypervisors, Unix/Linux servers, Windows desktops and cloud environments from the abuse of administrative privileges.
Want more Tech Debates? Check out our archive page