In this interview, Gray Hall, CEO at Alert Logic, illustrates today’s top cloud security threats, tackles privacy and surveillance issues, and offers security best practices organizations should implement when moving to the cloud.
Do you think cloud security concerns are generally overblown?
Many people incorrectly assume that cloud security concerns are overstated. In fact, the concern is very real, but not for the reasons most people think. Most major cloud providers provide extensive security controls, often beyond those of the best corporate data centers, but the virtual cloud instances within the cloud are another story. Customers are responsible for providing security for these virtual servers, which is where security generally breaks down. Some users incorrectly assume that security of virtual servers is the responsibility of the provider, which leaves them exposed when basic security controls are not implemented. Others fail to realize that very few existing security tools were specifically designed to work within the virtual servers in the cloud until it’s too late.
Adopting cloud services does not automatically make you more or less secure. However, this does not — and should not — stop people from moving into the cloud. Building on the strong foundation of cloud platforms, businesses can in fact achieve higher levels of security than they could in their own data centers. But to do so, they must rethink their approach to ensure the tools they use for cloud security are up to the task, and to ensure that every layer of their application stack is protected – from the web application code, to the cloud servers, to the virtual networks these servers use for communication.
What are the top threats to cloud security today?
Our research shows that the risks affecting the cloud and on-premises data centers are converging. There are very few threats that specifically target cloud deployments, and there is a good reason for this – security flaws in web applications have historically been one of the biggest areas of exposure and moving an application to the cloud doesn’t change this fact. In other words, businesses generally have not really done a good enough job with securing web applications to motivate hackers to change their tactics.
The best way to mitigate risk is ensure that security is built into the cloud deployment from launch date and the technologies used are natively built for the cloud. Far too often, people attempt to deploy security technologies designed for on-premises data centers, which focus on endpoints more so than applications, and quickly realize they don’t quite fit the cloud. In most of these cases the business ends up relaxing its security requirements, and as a result the newly deployed cloud infrastructure is more exposed than it was on-premises. Cloud security should be contemplated as one of the design considerations and be embedded into the deployment from day one in order to minimize risk.
What’s your take on businesses increasingly placing their trust in cloud providers with infrastructures located outside of the United States?
This is far from a new trend, but one that has been accelerated by the disclosures of widespread government surveillance. The important thing to remember is that this is not a United States issue. Multiple governments around the world are working in concert to ensure they have visibility into Internet communications, and the concern remains real no matter where your data resides.
What security best practices should an organization implement when moving to the cloud?
It’s extremely important that you provide protection for the entire application stack running on virtual machines – throughout the system, network and application levels. Relatively few security vendors today support cloud deployments well, so it’s important to ask the right questions beyond “can you deploy in the cloud?” How they deploy and whether they support cloud-specific use cases is much more important.
One of the biggest mistakes we see IT security teams make is to fail to prioritize the most important business or operational requirements in designing the security requirements for a given application deployment. A simple example – if your application team has a requirement for auto-scaling, then this must become the ground-floor requirement for your security toolkit as well. Otherwise, cloud deployment will move forward, but security will be left behind, which happens all too often.
How should organizations tackle security risk management when considering cloud service providers?
One of the first steps is choosing a cloud provider that offers the style of service that fits your business. For some businesses who prefer control and have the expertise to manage their own environment, cloud providers like Amazon or Azure have security partners with the capability to extend their own services dynamically for customers of those cloud providers. For businesses that need better support and an ability to outsource management of the entire application environment, a cloud provider with deep roots in managed hosting, such as Rackspace or Datapipe, might be a better choice. There are security options available in each of these cloud environments, but even the best security capabilities are ineffective if you can’t deploy and manage them.