Wolfgang Kandek, CTO of Qualys looks at where the responsibility lies when it comes to cloud security.
The role of cloud computing within IT has grown massively over the past four years. In 2012, only 12 per cent of companies had any applications or services running in the cloud; this has grown to just over 69 per cent in 2015, according to IDG Enterprise research.
However, this growth has its own challenges and issues. At the forefront is how IT teams within businesses can retain control over how IT services are getting used, as well as maintaining security of the company’s data over time.
For IT, cloud represents a quandary around security. On the one hand, using cloud services can make it easier for a business, as there is a set of specialists within the service provider responsible for stopping attacks and keeping data safe. Indeed, this ability to be secure is fundamental to their business success, as any loss of data would see customers abandon them in droves. However, the fact that it’s so easy for individuals or line of business teams to sign up for cloud services means that data is spread much further.
The truth is that cloud is no more and no less secure than traditional IT implementations. However, it is different. The fundamental question to answer is whether you are looking at security in the cloud, or security of the cloud. The former involves knowing how IT systems are implemented on public cloud services or making use of “As A Service” applications, while the latter covers the physical, virtual and storage resources that exist and make up the cloud service.
It’s important to make this distinction, as it’s easy to see gaps develop between internal IT security teams, line of business users and the cloud service providers involved. It’s these gaps that lead to vulnerabilities creeping in that might cause data breaches or loss of information.
Security in the cloud – how to track use of assets and applications
The shift to new applications that are hosted in the cloud also has an affect on internal IT – each app that now runs on a public cloud service no longer resides on a set of internal servers and storage. For many small businesses, this will be business as normal; for larger enterprises, the reduction in internal IT will be felt more sharply.
This migration to the cloud means that previous IT security investments like Firewalls and Intrusion Detection have less to protect over time. While corporate data may live within the organisation and need to be secured, much of a company’s new data will be created either in the cloud or on endpoint devices that connect to those cloud services. This presents a problem – traditional IT security strategies are based on securing a well-defined perimeter rather the more flexible environment that exists today.
Instead, it is worth looking at how to track the use of IT assets of all kinds and deployment of patches whether they’re within the corporate network or out in the wilds of the public Internet? For IT staff, this ability to spot where updates are in place on a continuous basis – and, more importantly, where they have not been applied – can help keep devices and data secure. As more applications and data move to the cloud, making use of cloud services to track that activity should make sense.
Security of the cloud – where responsibilities overlap
For companies looking at how to make use of public cloud services, the likes of Amazon Web Services and Microsoft Azure would normally be the first ports of call. AWS generated around $2billion in revenue for Amazon in Q3 2015, and continues to grow rapidly. For IT teams that are looking at setting up copies of their internal IT systems on the cloud, or building new applications for the organisation, AWS offers a very cost-effective platform to build on.
However, AWS is very much presented in a “take it or leave it” fashion when it comes to security. Application and data security on AWS remains the responsibility of the company IT team. This includes obvious areas like security of customer data through encryption, management of identities for accounts that should be allowed access to data, network traffic protection and Firewall configuration on AWS. The other side of this is that the infrastructure underneath all that data is kept secure by AWS. This infrastructure includes the physical compute, storage and networking used by workloads, as well as the databases used to hold data in the cloud.
While it is possible to run secure workloads on AWS, it is up to the customer to get this implementation right. To some extent, this makes a lot of sense – AWS wants to serve as many customers as possible, so enforcing specific security approaches would reduce this opportunity considerably. At the same time, companies building on AWS can benefit from applying the technologies and approaches that best suit their needs.
To ensure that company data and workloads remain secure when running on AWS, it’s important to scan them on a regular basis. While many internal IT assets would be scanned infrequently to avoid hits on performance, the availability of compute power in the cloud makes this much less of an issue. This means that scans can be conducted more often, therefore flagging issues faster and ensuring they can be mitigated or fixed earlier.
For companies considering how they use AWS, there are APIs (Application Programming Interfaces) available that can make it possible to track asset status and updates over time. One of the important things to bear in mind about tracking workloads in a multi-tenant cloud is that they are much more ‘mobile’ than on internal virtualisation deployments. Rather than tracking based on IP addresses, the Amazon ID should be used to ensure that security scans are applied to the right workloads.
This ensures that company IT teams don’t accidentally gain access to others’ sensitive data. By tracking these assets dynamically, it’s also possible to ensure that all the required security policies and management reporting requirements are met.
For companies making use of cloud, security remains a challenge. However, cloud services can be deployed to help make the job of managing security easier.
Throughout January, PCR is running a dedicated Sector Spotlight on The Cloud – click the logo below for more articles