There is No Set It and Forget It for Cloud Security

The public cloud market is scorching most every other segment of the IT industry. According to a report from research firm Forrester, the public cloud market will double from its current size to reach $236 billion by the year 2020. But that doesn’t mean that there aren’t big problems when it comes to cloud adoption – especially when it comes to security and regulatory compliance concerns.

According to the 2016 Cloud Security Spotlight Report, conducted by Crowd Research Partners, security concerns still top the list of barriers to cloud adoption. These security concerns are led by general security anxieties at (53 percent, up from 45 percent from last year’s survey), legal and regulatory compliance concerns (42 percent, up from 29 percent), and data loss and leakage risks at 40 percent.

While there does exist that sizable level of apprehension when it comes to cloud security there also exists the other extreme. This is those who view the cloud, and especially public cloud, to be inherently secure. They view the public cloud to be some form of Ronco rotisserie oven where the security, if it’s thought of at all is simply Set it, and Forget it. Well, neither of these views are accurate because “cloud security” is neither an oxymoron, or a security panacea.

However, there are some distinct differences and challenges when it comes to cloud security. Here they are:

The abstracted nature of cloud computing

One of the first challenges comes from moving to cloud is getting one’s mindset away from data center thinking and the loss of natural visibility (but tools that provide the necessary visibility) have surfaced in the past couple of years. This abstraction and lack of visibility is an important challenge, especially for those who are new to cloud security and often don’t understand where their responsibility for security ends and where the responsibility for cloud platform provider security begins.

The way enterprises measure software risks in cloud changes

When it comes to on-premises software, there are established ways enterprises measure software risks are relatively matured. For traditional software we have the Common Configuration Enumeration (CCE) list, and the Common Vulnerabilities and Exposures (CVEs) system. There are no CCE or CVE systems for cloud. So how do enterprise security managers know what risks are significant and what risks are low or moderate? There’s just no same way to judge such risks yet with cloud platforms and cloud delivered services.

Another challenge is compliance in cloud vs compliance on-premises

There’s also a big difference between what policy and regulatory compliance looks like in public cloud systems and cloud software services. The Center for Internet Security is working to map those security controls and compliance requirements back to whatever services are running in cloud. It’s important Being able to provide more depth on that and what’s compliant and what’s not when it comes to regulatory compliance and security compliance controls.

Compliance is also different in cloud because cloud environments are so dynamic, especially when compared on on-premises systems and data centers. When one considers the difficulty that change control and the configuration management efforts have on-premises and then witness how those challenges are amplified because of the constantly dynamic nature of cloud.  

Managing data to its classification

There are many who contend that critical data shouldn’t be put into the cloud. Regardless of one’s feelings on the subject critical data is going to end up in the cloud. In many of the surveys I see, about half of respondents are putting critical or sensitive data (to their enterprise) in cloud systems. Many enterprises are using cloud service providers to hold financial and health related data. There are serious questions about how to manage this data in the cloud, especially public cloud environments as well as how to manage SaaS and other cloud providers who manage sensitive data.

The continuous nature of cloud

The cloud is always on. And unlike the controlled, scheduled, and top-down regimented days gone by, cloud updates are born from continuously delivered software pipelines in organizations where there is a considerable push for agility and continuous updates.  This requires DevOps teams to build tools and services that support faster deployment, as well as more rapidly gather system data and feedback so that they can rapidly iterate and improve.

This drive toward continuous computing and continuous software enhancements should play well for security – when it’s approached correctly enterprises can gather continuous data about the state of their cloud security posture, the types of security controls and compliance rules they had in place, identity, encryption policies, can be viewed in real-time so that they can track, in real-time, how the entirety of their security strategy is working in the cloud. And for many of the challenges we listed above, that kind of real-time continuous monitoring is necessary.

About George Hulme

George V. Hulme is an internationally recognized information security and business technology writer. For more than 20 years Hulme has written about business, technology, and IT security topics. For five years, Hulme served as senior editor at InformationWeek magazine, he covered the IT security and homeland security beats. His work has appeared in CSOOnline, ComputerWorld, Network Computing, Government Computer News, Network World, San Francisco Examiner, TechWeb, VARBusiness, and dozens of other technology publications.

More posts by George

Tags: ,