In this interview, Ravi Ithal, Chief Architect at Netskope, discusses the top threats to cloud security and how they are changing the way we’re using the cloud. He also talks about how the power of the cloud influences the agility of a modern security architecture and offers insight about who is ultimately responsible for data security in the cloud.
There’s no doubt, the cloud is here to stay. If you look at today’s fast paced threat landscape, what are the top threats to cloud security?
One of the biggest threats in cloud computing today is the data breach. There’s no doubt that we are on a cloud-data breach collision course as enterprises adopt cloud rapidly and data breaches grow in number and intensity.
There are three ways that the cloud can impact data breaches:
1. It can be an entry point, as we found in one of the services we track that was used to deliver malware.
2. It can become hacked, as we saw with code hosting service Code Spaces, where attackers gained access to its Amazon EC2 control panel to demand ransom and ultimately put the company out of business.
3. A corporate insider can intentionally or inadvertently expose sensitive data from a cloud service. This can range from a departing individual’s theft of business documents to the inadvertent sharing of customer records. Since one out of five enterprise cloud apps enables sharing, this can happen from nearly any type of service with nearly any type of data.
How does this change the way we are using the cloud?
Up until now, cloud services have flown under the radar in enterprises. Today, though, we have reached an adoption tipping point both in terms of number of the cloud apps being used and the importance people are placing on these services. IT is therefore having to think differently about the cloud. They are taking measures to secure access with single sign-on technology and policy enforcement technologies that intervene when users engage in risky behavior.
How can the power of the cloud influence the agility of a modern security architecture?
Security is about intelligence and enforcement. Intelligence involves the knowledge of vulnerabilities within, threats to, and active attacks against corporate data and users. That intelligence is gathered from a variety of sources and analyzed to detect unique patterns that signal threats. Because the cloud is elastic, it provides easy access to IT “plumbing,” and makes it easy to take advantage of machine learning tools. Developers can rapidly build security intelligence solutions that target the threats they’re analysing and are tied directly to their core competencies.
Enforcement is about using that intelligence to protect data. Security enforcement historically involved hardware deployments, usually on an enterprise’s premises. This created huge capital investments, slow deployment times (when time is of the essence), and the inability to handle bursts of activity, not to mention onerous vendor lock-in. As software-defined, and especially cloud-based solutions, came onto the security scene, it turned these issues around. With cloud, capital investments go away, deployment is fast, and the technology can scale up and down. Most importantly, enforcing policies in the cloud means you can handle problems where they’re happening for speed and efficiency.
Who is ultimately responsible for data security in the cloud?
We believe data security in the cloud is a “shared responsibility” model, with both the cloud service vendor and the enterprise playing a role. First, it’s important to acknowledge what kind of data we’re talking about. It’s not just files in Dropbox (although that’s part of it). It’s your source code, product roadmap, and virus queues in software development apps like Atlassian, GitHub and SourceForge. It’s your contracts and subscription revenue details in Zuora, or expense data in Concur. It’s HR data – some of it Personally Identifiable Information (PII) – in SuccessFactors and Cornerstone OnDemand. And it’s customer contact information in Marketo and ConstantContact.
Vendors – especially those housing sensitive data – have a responsibility to provide the utmost security, auditability, and business continuity capabilities. We measure cloud apps on 50+ criteria, such as whether they support multi-factor authentication or separate tenant data, and specify in the legal terms that customers own their own data. Surprisingly, 88 percent of apps we track don’t meet enterprise-readiness standards.
Beyond inherent security, the other side of “shared responsibility” is the enterprise’s service use. This has everything to do with what users are doing with what data. For instance, is Protected Health Information (PHI)being uploaded to/housed within an app? Are unauthorized individuals downloading PII from HR apps? Does “company confidential” content reside in apps with administrators that have left the company? Are people sharing sensitive content outside of the company? If the answers are yes, what compensating controls are in place? While inherent cloud service security is important, it’s the data and the usage that really matter when it comes to ensuring security.