Cloud Security Alliance CEO’s Top Cloud Security Priorities
Published 10/02/2015
By Jim Reavis, CEO, Cloud Security Alliance.
I would like to thank my friends at Code42 for again giving me a platform to talk about the cloud security issues on my mind. In this blog post, I wanted to discuss some of the changes I am seeing in how security professionals are rethinking best practices as a result of being exposed to cloud computing and what some of the security priorities are as organizations begin to depend upon a critical mass of cloud services.
From comfortable stasis…
Traditional IT systems have been characterized as being static in nature. Indeed, I spent the first 20 years of my career focused on architecture, implementation and security of traditional computer networks. File servers, routers, firewalls and hosts would be carefully sized, designed and put into production, with the hope that they could go years without a single reboot. We valued stability perhaps most of all, and would even develop odd, fond relationships with servers—treating them a bit like favorite pets. Systems would be patched and upgraded of course, but only when deemed absolutely necessary, and only after significant research and regression testing of the updates.
The information security solutions that grew up around this environment recognized the relative permanence of these systems and developed their security strategies accordingly. Detection and prevention of viruses, performing forensics on breaches and several other tasks are carefully integrated with systems, lest we disturb these permanent servers. Sometimes we couldn’t even eradicate malware, as the cure (a reboot with downtime) was worse than the disease. These static systems are actually very fragile.
To ephemeral clouds
By contrast, cloud computing is highly dynamic. We turn services on or off at will. Virtual machines are very transient, not eligible for pet names, unless as part of a cloud orchestration tool we are instantiating Rover001..RoverNNN. This ephemeral cloud is causing security professionals to tackle problems differently. Instead of a painstaking malware mitigation program, why not just turn the virtual machine off, start a new VM and point it at your data sets? Maybe we don’t care about all of the malware details from an operational perspective when we can just make it go away and start over.
This is just one example. The reality is, I don’t think we as a security community have yet grasped all of the implications of cloud computing’s essential characteristics, and have not employed enough imagination yet to replace our security strategies with brand new approaches; but clearly the wheels are turning. It is exciting to see the experts start with a blank slate, rather than duplicating a questionable security tool in cloud.
New approaches to old (and new) security problems
As we are in this phase of transitioning to cloud, security professionals are seeking their ground zero for sound security strategies. Many organizations are starting with their data and working outward from there. A lot goes into protecting data, so I’ll just mention a few priorities. Strong authentication is becoming so common, that it makes an old security professional positively giddy. When you think about some of the early so-called cloud breaches, they were actually not direct attacks on cloud providers, but account takeovers caused by attacks upon a user’s ID and password. We have a lot more to implement here, but it is going in the right direction. Closely related is identity federation. We simply cannot afford to have an employee’s login credentials stored at hundreds of provider locations and must federate our directories rather than duplicating them.
Encryption has proven to be a remarkably resilient security control. When you have the option, take it. CSAexpounds upon the importance of customer control of keys to create an appropriate separation of duties. The challenge for encryption going forward is to make it applicable in as many cloud use cases as possible. Notably, providing encryption for Software-as-a-Service (SaaS) is an important area CSA is focused on, with our new OpenAPI working group seeking to provide an approach that creates seamless encryption that works across any cloud provider.
Taking new approaches to old security problems is a great thing to see. Of course cloud will bring some interesting new security problems, but we’ll leave that for another blog post.
(This post first appeared on Code42's blog Data on the Edge)