Security or Cloud – Can You Have Both?

Cloud makes compelling economics for organizations. Many that swore never to touch public infrastructure and platform cloud are becoming converts. In fact, as Oracle's recent Your Platform research shows, those forward-thinking businesses have already reached cloud maturity (with on average 70% or more of their applications operating in the cloud) are outperforming their competitors.

Concerns over security remain

At the same time, the 2018 Oracle and KPMG Cloud Threat Report shows that threat levels continue to be high. Most respondents were concerned about cybersecurity, with around one-fifth suffering daily attacks, as a result of which 51% had suffered financial implications, and 66% had faced interruptions to business operations.

Overall, cloud confidence has led to a significant migration of sensitive data out of private data centers, with nearly all respondents categorizing half or more of their cloud-resident data as sensitive.

So is this the end of the cloud security story? Not quite. The threat report also reveals there is a lot that is misunderstood about the shared responsibility model of cloud security that is leaving many open to issues.

A New Dilemma

Typically, providers of the public infrastructure and platform cloud services deliver what is referred to as security of the cloud. This is underpinned by an alphabet soup of standards, such as service organization controls (SOC)-based certifications to FedRAMP in the US, IRAP in Australia to PDPA in Singapore.

PaaS and IaaS users will rigorously vet prospective cloud providers to ensure compliance with these standards as part of their decision-making process. Indeed, 98% of all organizations surveyed in the threat report said they conduct formal cybersecurity reviews of their public cloud service providers before doing business with those firms. The result is that cloud consumers can rely on conformance to a set of agreed principles and standards as far as security of the cloud is concerned.

Allied to the need for security of the cloud is the need for security in the cloud. This relates to the need to secure the software components, processes, identities and data that reside in the cloud. Rather than being the responsibility of the service provider, these elements sit (conceptually) “above” the service boundary and remain the responsibility of the customer.

The challenge is that this implies both a clear understanding of where this service boundary sits (good fences make good neighbors, as a poet once said) and an appreciation of what, precisely, the cloud consumer is responsible for.

Security in the Cloud

To help customers deploy and manage cloud services, the Cloud Service Provider typically provides a service “control plane” that includes application programming interface (APIs) and exposes certain functions. Additionally, in some cases, the cloud applications or services deployed in the cloud may come with a set of accompanying security-related services.

This seems straightforward. However, a major source of security issues lies in the individual end user engaging with the cloud service as if it were one in a traditional on-premise environment. Until recently, they have known no other paradigm, and it shouldn't be something the end user should ever know or care about.  

The challenge is that in a cloud environment, the virtualization of networking and infrastructure is implicit in the architecture itself. This provides a level of dynamism that can be difficult to replicate with on-premise environments. While this is a net positive, one consequence of this architecture is that the (customer's) cloud administrator may be just three or four clicks away from exposing all of the information assets within a given cloud service to the public internet. These clicks might originate through accident, malice or via the compromise of a cloud administrator's credentials by some adversary. Cloud users may also, too quickly, find that their oversights and errors in working with this new model are quickly amplified.

No wonder Gartner recently predicted that, by 2020, 95% of all data breaches in the public cloud would be the customer’s fault.

So, while Cloud Providers of scale can provide a level of security of the cloud that far exceeds what a typical organization can achieve on-premise, the power and dynamism afforded to the cloud consumer may work to amplify any deficiencies in the security posture in the cloud. They need a different approach. They need to move from (habitually) focusing close to 100% of their cloud security efforts towards ensuring the security of the cloud space – while this may handle 100% of their compliance requirement, it deals with only 5% of the risk, leaving the remaining 95% poorly mitigated, if at all.

What needs to be done?

Although not directly responsible for customer’s security in the cloud, cloud providers can help their users navigate security in this complex domain. There are three things customers should look for from their cloud providers:

1. Security services externalized as cloud services in their own right. One example is IDaaS (Identity-as-a-Service). Data masking and data auditing are other examples. The fundamental goal here is to remove the need (if not the desire) for developers to bake their security controls into their code. Any practitioner of DevSecOps recognizes this as one of the foundational architectural pillars underlying this movement.
2. Embedded security technologies – to allow such technologies to be configured and operated by a customer in the cloud. Examples would be the provision of controls that enforce the segregation-of-duties at the database layer, on-disk encryption, etc.
3. Tools to monitor all access to enterprise resources – whether cloud or on-premise based. In short, while preventive controls are necessary, they are not sufficient. Increasingly, given the "low and slow" nature of modern threats, the game is one of detection rather than mere prevention. Furthermore, the malicious activity represented by these threats is increasingly spanning both on-premise and cloud domains. Information about this activity must be contextualized by the two dimensions of most relevance to cybersecurity – namely, identity and asset. Specifically, who is accessing (or has proximity to) the information (of value) to the organization.

This last requirement is particularly key in today's hybrid cloud environment, given that it is often the case that each cloud service may touch other cloud services as well as other on-premises systems.  This amplifies the downsides of any ‘mistakes,' and reinforces the need for end-to-end visibility wherever identities and assets reside.

The basic principles underlying this three-pronged approach to a cloud security control framework are clear; clarity on the division of security responsibilities between cloud consumer and provider augmented with a robust approach to dealing with the 95% of risk that resides in the cloud.

What is clear is that companies who are well-served by security strategies that permit an acceleration of the organizations' cloud initiatives, aided by an approach to risk and compliance both of and in the cloud are benefiting and steaming ahead.

At the other end of the scale, traditional organizations that lack a deeper understanding of key security aspects of the new paradigm will find their cloud adoption slowed, with their security unit remaining the "Department of No." This means that either the full benefits of the cloud will not be realized, or potentially it will drive cloud usage underground opening the organization up to new risks. Neither of these outcomes is likely to be profitable.

This is a contributed article from Chris Pickett, Security Specialist, Oracle APAC. The views and opinions expressed in this article are those of the author and do not necessarily reflect those of CDOTrends.