By Chris Pickett, Security Specialist, Oracle
Cloud makes compelling economics for organisations. Organisations that swore never to touch public infrastructure and platform cloud are increasingly converts. In fact, as Oracle’s recent Your Platform research shows, those forward-thinking businesses have already reached cloud maturity (with on average 70 percent or more of their applications operating in the cloud) are outperforming their competitors.
Concerns over security remain
At the same time, the 2018 Oracle and KPMG Cloud Threat Report shows that threat levels continue to be high. Most respondents were concerned about cyber security, with around a fifth suffering daily attacks, as a result of which 51 percent had suffered financial implications and 66 percent had faced interruptions to business operations.
Yet overall, cloud confidence has led to a meaningful migration of sensitive data out of private data centres, with nearly all respondents categorising half or more of their cloud resident data as sensitive.
So is this the end of the cloud security story? Not quite. The threat report also reveals there is a lot that is misunderstood about the shared responsibility model of cloud security that is leaving many open to issues.
A New Dilemma
Typically, providers of the public infrastructure and platform cloud services deliver what is referred to as security of the cloud. This is underpinned by an alphabet soup of standards, such as SOC-based certifications to CSA's STAR or FedRAMP.
PaaS and IaaS users will rigorously vet prospective cloud providers to ensure compliance with these standards as part of their decision-making process. Indeed, 98 per cent of all organizations surveyed in the threat report said they conduct formal cybersecurity reviews of their public cloud service providers prior to doing business with those firms. The result is that cloud consumers can rely on conformance to a set of agreed principles and standards as far as security of the cloud is concerned.
Allied to the need for security of the cloud is the need for security in the cloud. This relates to the need to secure the software components, processes, identities and data that reside in the cloud. Rather than being the responsibility of the service provider, these elements sit (conceptually) “above” the service boundary, and remain the responsibility of the customer.
The challenge is that this implies both a clear understanding of where this service boundary sits (good fences make good neighbours, as a poet once said), and an appreciation of what, precisely, the cloud consumer is responsible for.
Security in the cloud
To help customers deploy and manage cloud services, the Cloud Service Provider typically provides a service “control plane” that includes APIs and exposes certain functions. Additionally, in some cases the cloud applications or services deployed in the cloud may come with a set of accompanying security-related services.
This seems straight forward. However, a major source of security issues lies in the individual end user engaging with the cloud service as if it were one in a traditional on-premise environment. Until recently, they have known no other paradigm and really it shouldn’t be something the end user should ever know or care about.
The challenge is that in a cloud environment, virtualisation of networking and infrastructure is implicit in the architecture itself. This provides a level of dynamism that can be difficult to replicate with on-premise environments. Whilst this is a net positive, one consequence of this architecture is that the (customer’s) cloud administrator may be just three or four clicks away from exposing all of the information assets within a given cloud service to the public internet. These clicks might originate through accident, malice or via the compromise of a cloud administrator’s credentials by some adversary. Cloud users may also, too quickly, find that their own oversights and errors in working with this new model are quickly amplified.
No wonder Gartner recently predicted that, by 2020, 95 percent of all data breaches in the public cloud will be the customer’s fault.
So, while Cloud Providers of scale can provide a level of security of the cloud that far exceeds what a typical organisation can achieve on-premise, the power and dynamism afforded to the cloud consumer may work to amplify any deficiencies in the security posture in the cloud. They need a different approach. They need to move from (habitually) focusing close to 100 percent of their cloud security efforts towards ensuring security of the cloud space – whilst this may handle 100 percent of their compliance requirement, it deals with only 5 percent of the risk, leaving the remaining 95 percent poorly mitigated, if at all.
What is to be done?
Although not directly responsible for customer’s security in the cloud, cloud providers can help their users navigate security in this complex domain. Broadly speaking, there are three things customers should look for from their cloud providers:
1. Security services externalised as cloud services in their own right. One example is IDaaS (Identity-as-a-Service). Data masking and data auditing are other examples. The fundamental goal here is to remove the need (if not the desire) for developers to bake their own security controls into their code. Any practitioner of DevSecOps recognizes this as one of the foundational architectural pillars underlying this movement.
2. Embedded security technologies – to allow such technologies to be configured and operated by a customer in the cloud. Examples would be provision of controls that enforce the segregation-of-duties at the database layer, on-disk encryption, etc.
3. Tools to monitor all access to enterprise resources – whether cloud or on-premise based. In short, whilst preventive controls are necessary, they are not sufficient. Increasingly, given the “low and slow” nature of modern threats, the game is one of detection rather than mere prevention. Furthermore, the malicious activity represented by these threats is increasingly spanning both on-premise and cloud domains. Information about this activity must be contextualised by the two dimensions of most relevance to cybersecurity – namely, identity and asset. Specifically, who is accessing (or has proximity to) the information (of value) to the organisation.
This last requirement is particularly key in today’s hybrid cloud environment, given that it is often the case that each individual cloud service may touch other cloud services as well as other on-premises systems. This amplifies the downsides of any ‘mistakes’, and reinforces the need for end to end visibility wherever identities and assets reside.
The basic principles underlying this three-pronged approach to a cloud security control framework are clear; clarity on the division of security responsibilities between cloud consumer and provider, augmented with a robust approach to dealing with the 95 percent of risk that resides in the cloud.
What is clear is that companies who are well-served by security strategies that permit an acceleration of the organisations’ cloud initiatives, aided by an approach to risk and compliance both of and in the cloud are benefiting and steaming ahead. At the other end of the scale, traditional organisations that lack a deeper understanding of key security aspects of the new paradigm will find their cloud adoption slowed, with their security unit remaining the “Department of No”. This means that either the full benefits of the cloud will not be realised, or potentially it will drive cloud usage underground opening the organisation up to new risks. Neither of these outcomes is likely to be profitable.
Would you like to learn more about the practical solutions and tools that will help you to manage the ever-changing security regulations? Sign up for our next TechLunch, which will take place on 22 January 2019 between 11.30 AM and 1.30 PM at Oracle Luxembourg. If you’re interested, send an email to firstname.lastname@example.org.
Publié le 09 janvier 2019