Security concerns are still seen by many as a major hurdle to be passed before the cloud can truly deliver on its potential, writes Russell Spitler, pictured, Vice President, Product Strategy, AlienVault.
A recent survey by AlienVault found that 90% of organizations are still concerned about security risks in the cloud. But the truth is that this is mostly a matter of perspective. The cloud is not an inherently insecure environment, but it has a different security model which needs to be planned carefully. It comes with new responsibilities and new trust relationships that need to be established in order to properly secure your environment. But if these environments are approached in the right way, they actually have the potential to be far more secure than traditional data centers.
When discussing the cloud, key terms can mean different things to different people, so confusion can set in right from the outset. Our dialogue related to this is topic is often confused and leads to an early disconnect at best or a fundamental misunderstanding at worst. The confusion related to security in the cloud causes hesitance to leverage the various form of cloud services to their fullest potential. To be very explicit, “cloud security” can mean three very different things:
–A SaaS (software as a service) offering that provides a security service
–An offering that helps you monitor SaaS services (note that this has no bearing on its delivery form – SaaS, on premise software or appliance)
–The set of tools/features required to secure an IaaS (infrastructure as a service) environment.
Understanding these three variants of ‘cloud security’ is important to then realize the promise and the risk of your own use of the cloud.
The risk we run with the cloud largely depends on the nature of our use. However, since cloud services have proven to be viral in nature most organizations make use of both SaaS as well as IaaS whether or not it is inline with corporate policy. Recent research has shown SaaS offerings being leveraged as points of data ex-filtration and used as command and control (C&C) channels. This is an ingenious way to side-step traditional perimeter based detection technologies. By leveraging a SaaS service in an attack, the controls traditionally used to detect large-scale data loss and C&C traffic are rendered useless as the malicious activity now blends with the benign. This integration of SaaS into the methods used by attackers is a sure sign of widespread cloud adoption. In a similar vein there has been research published about attacks targeting IaaS environments and leveraging components of the IaaS service as a mechanism for privilege escalation or to pivot in the environment. This again reflects an increased understanding of the nature of IaaS by attackers and increases the responsibility of users to properly monitor and secure such environments.
Even with a current understanding of the risks related to use of IaaS and SaaS we need to remind ourselves of the potential for causalities. Attackers target and leverage these services because that is where our data is stored. An attacker who is targeting us will not simply stop if we are not using the cloud; they will simply leverage other techniques when attacking us. A similar point can be made for broad-based attacks. If the broad based attacks we face today only targeted cloud environments we might have a case against using such environments. However, at this point the majority of broad-based attacks still target traditional environments. Thus, avoiding the use of the cloud is not an action that will make us inherently more secure. Just as with the adoption of any other technology, we must understand the cost and weigh it against the benefits of use.
When working with cloud providers it is important to establish what responsibilities you retain for security and what is managed by the provider. Dependent on the nature of the service, the line of responsibility shifts. For IaaS providers, the customer is responsible for the operating system up; however, for SaaS providers, the customer is responsible for privileged users. This has a major impact on the security controls we implement to shore up our end of the bargain. With IaaS providers, we need to start at the OS level and take full advantage of the automation and configuration tools provided. Beautifully segmented networks with fully encrypted network connections and hardened systems are now scriptable features of our data centers. With both IaaS and SaaS providers, we need to take a close eye to the administrative audit logs to monitor privileged user access and ensure appropriate use of the features in the environment. Automated analysis and monitoring of these logs is critical to identify the difference between a devop engineer spinning up a new server and an attacker taking advantage of compromised credentials.
To take advantage of everything the cloud offers requires a careful analysis of the risks. But by taking the time to understand it, and getting to know the policies of your chosen cloud providers, the security potential is limitless. This is a new way of working and requires a new mindset, but taking the time to understand it will reap significant rewards and allow us to move into a new and secure future.
