Cloud Security: Separating Fact from Fiction
Information security is a perennial concern for the enterprise. Long before cloud computing came on the scene, maintaining the integrity of data and IT infrastructure was critical to success in an increasingly digitized economy.
But worrying about security and understanding the nature of the threats that confront modern data environments are two very different things. And the fact remains that with cloud computing in particular, many enterprises still fail to appreciate the fundamental way in which this paradigm has changed the security equation.
In the Information Security Community on LinkedIn's recently issued Cloud Security Spotlight Report in which more than 1,000 IT professionals shared their views on security in cloud environments, more than 90 percent of respondents identified themselves as either very concerned or moderately concerned about security in public clouds. That makes security the single biggest factor in enterprises' ongoing hesitation to push more of the workload -- especially mission critical data -- onto third-party cloud infrastructures.
Perceived threats to cloud security break down along a number of key lines, the study found. Topping the list is unauthorized access, which was pegged as the single biggest threat in the survey, followed closely by hijacking of accounts, services or traffic. In a way, this is understandable given the fact that one can never be sure of the reliability of third-party infrastructure. But it is also true that when providing cloud services is your business rather than a cost center, investment in state-of-the-art security is a top priority, and cloud providers across the board have shown their commitment to maintain security postures that are second to none (and hard for companies’ private datacenters to match).
Still, other threats arise from the nature of the cloud itself -- or more precisely, the way in which users interact with it. Nearly 40 percent of respondents flagged insecure interfaces and APIs as the top threat, which is only exacerbated by the prevalence of personal devices (BYOD) in the enterprise and the difficulty in maintaining standard security protocols across such a diverse collection of endpoints. As well, there is the rising threat of “Shadow IT” and the potential for users to place critical data on unauthorized storage resources in the cloud.
In confronting these challenges, however, enterprise executives must first come to appreciate the fundamental change to IT infrastructure that the cloud represents. Too often, organizations try to carry the same perimeter-centric security approaches that have served well, or reasonably well, in the past. To implement an effective security framework will require several key changes in the way we think about security:
Shed the Fortress Concept
In a traditional datacenter, most critical data resided in on-premise storage servers and connectivity to the wider world was enabled by a few key edge devices tied to either public or private wide area networks (WANs). This makes it easier to build a firewall and intrusion prevention perimeter around the data ecosystem to prevent critical systems and infrastructure from being compromised. In the cloud, the perimeter is more porous, data is leaving the protected datacenter over open networks and a plethora of mobile devices. This makes placing security on the infrastructure layer alone insufficient because sensitive data is leaving the protected infrastructure and is no longer controlled by the enterprise.
Around two-thirds of survey respondents believe that perimeter defenses alone are insufficient for securing cloud infrastructures and that protecting the workload is also necessary, confirming a shift away from an emphasis on attack prevention and toward a defense-in-depth approach with advanced data protection methods, such as encryption, which is being employed by nearly two-thirds of respondents.
Data is Fluid, Security Should Be Too
Instead, the enterprise should realize that in a dynamic data infrastructure, critical information can wind up virtually anywhere. Employees, for example, may back up their mobile data to unknown hosts without even realizing it. By placing security on the application layer -- or even within the data itself -- enterprise can increase their assurance that the proper defensive mechanisms accompany critical information no matter where it goes.
A key element of this strategy is encryption, for data both at rest and in motion. Already, this is regarded as the most effective means of ensuring data security in the cloud, topping the list for 65 percent of respondents in the Cloud Security survey.
Set and Enforce Consistent Security Across All Data Ecosystems
The cloud may be distributed, but your data architectures should still remain tightly integrated. This is necessary to not only maintain a cohesive data ecosystem but to ensure data does not slip around the security stack in some way.
Going forward, this will become a more significant challenge than maintaining the fortress around physical infrastructure, particularly as knowledge workers become more adept at provisioning and using their own cloud applications and services, often without knowledge or involvement of the IT department.
The Information Security Community on LinkedIn is one of the largest networks of cybersecurity professionals. The Cloud Security Spotlight Report was published by Crowd Research Partners in collaboration with the Information Security Community on LinkedIn and cloud security vendors. Access the full report here.
--Holger Schulze is founder of the Information Security Community on LinkedIn.