The cloud has completely changed the nature of network and application architecture. The changes have been profound. Security has to be reconsidered for this new world as data is spread over a greater area and accessed from more devices and locations than ever before.
With the cost-benefit equation strongly tipped towards deploying cloud solutions, many companies make the leap without fully understanding what this means for their data. At the CSO Perspectives Roadshow, held in Brisbane, Matt Berry from Vmware, security expert Mark Loveless, former FBI agent Jeff Lanza, and Mark Jones from ENEX Carbon discussed the issues they see for applications security in the cloud-based world.
The discussion started with an exploration of how the risk profile of data and applications change once things start moving to the cloud. Berry said it depends on what services you are procuring.
"If you're buying infrastructure as a service, then I think the platform you are using looks like the platform you're using on-prem. The effort you take to securing your on-premise apps really should be the same as the time and effort you put into securing your cloud-based apps".
However, he contrasted this with SaaS (Software as a Service) where you may have no visibility of how that application is secured. Then, you really need to consider what you are sending to the service and ensure you are making sound decisions.
Loveless added "In a lot of cases, when people are moving their data to the cloud it is still their data. But if you're moving internal data and applications then things may become a title more dicey. If you were relying on your permitted before to protect you, you've just lost it. Your controls for getting and from that data need to be looked at, particularly in the case when you're using a provider that uses different controls to what you're used to or different technology".
Encryption is an important component of security. Lanza said he wouldn't necessarily automatically trust the encryption used by service providers.
"You want to encrypt it before it goes to the cloud," said Lanza.
When it comes to evaluating the security bona fides of different providers, Loveless said it can be challenging. He suggests you need to see cloud providers just like any other vendor where you perform due diligence to determine what level of trust you assign to them.
For example, Loveless uses a messaging platform. He says there is information he would not share in that system while there is other information he would freely share. It's a question of making an informed determination of what level of trust to give. Coming from a government background, he says you can assign different levels of "clearance" to different applications.
Jones noted that there is a market opportunity for businesses to conduct security evaluations of SaaS and IaaS providers to organisations contemplating the use of cloud-based technology.
Berry said it's essential "to get your questions ready" so you can ask providers the right questions for your business. He noted that most providers have all the answers ready but won't disclose them unless asked.
One of the accusations levelled at cloud providers is that they are inflexible and won't meet the specific security needs of large organisations and, in some cases, government agencies. Lanza said the FBI uses cloud services as do other law enforcement agencies.
Given their stringent data protection needs, Lanza said the FBI dictates their requirements to cloud providers. For example, he said Amazon offers government cloud services that are more flexible and able to meet the different needs of government agencies. Locally, it was noted that Telstra offers custom services for government agencies in Canberra.
On the question of sovereignty, Berry said concerns over the location of an application are not significant with the customers he deals with.
"They are more interested in whether the app is close to the customer, is the latency low enough, is the performance good enough. I don't think they're too worried about where the app is. They have their own developers ensuring security or they use a SaaS provider that offers the required security," said Berry.
Loveless made the point that application patching is often faster with cloud providers than with on-prem systems. He noted that the company he works for, Duo Security, has detected issues with service providers and seen them patched within minutes for all customers. This is something many businesses aren't equipped to do with on-prem systems.
For cloud providers there is a significant business imperative to quickly patching systems and rectifying faults added Berry.
However, many cloud providers appear to be a "black box" with opaque security credentials and controls that are difficult to learn about. It can be difficult to know what controls they are employing. This leads to a trust issue. Berry said it's important to understand what services are being offered by cloud providers and not to assume anything.
Different providers are also at different points of the maturity continuum added Loveless. He noted Content Distribution Networks (CDNs) have been around for some time and had developed processes and controls over time that adapted to the changing threat landscape.
"I've been poking around these since they came online," said Loveless. "Is it secure? Can I have a little fun with this? Things are a lot better, even some of the newer providers, than what's gone on before. The providers are mature enough and have enough tools in place".
He also added it was up to companies to not deploy "crap code" to cloud services.
Lanza said it can be challenging to not only ask the right questions but to also get answers of sufficient depth to give assurances. Getting sufficient information from service providers can be difficult, particularly as they might be protecting that data from the prying eyes of competitors. However, Lanza noted it was possible to get good answers to security questions as some providers would do so under the protection of a non-disclosure agreement.
Berry said "You can dig as deeply as you're prepared to dig" to get answers to those questions. But some may simply refuse to answer questions.
One control people can put in place in order to protect data being sent to cloud providers is to encrypt data before it reaches a third party. Loveless said his company's practice was to encrypt outgoing data before it reached any cloud service. A business decision that balances the performance impact and impact of data loss is made before applying encryption.
There's also the need to understand how third parties manage data. Loveless said his company’s stopped using a particular chat service when they found a security issue with how it handled file attachments.
The final question addressed by the panel was whether there were workloads that should not be sent to the cloud. Berry said the reality is that as long as the right controls are in place then risks can be addressed appropriately. However, it is possible that some legacy applications will not function correctly or perform adequately when shifted to the cloud.