Cloud-native security considerations for critical enterprise workloads
Since the advent of the public cloud as a viable alternative to on-premise systems, CIOs and CISOs have been citing security as one of the top concerns when it comes to making the switch.
While most of their worries have abated over the years, some remain, fuelled by the number of data leak incidents, mainly arising from misconfiguration.
Johnnie Konstantas, Senior Director, Security Go to Market at Oracle, says that the main reason we are seeing so many headlines around sensitive data leaks and loss is that there are almost too many security tools offered by public cloud providers.
Making cloud security administration less person-intensive and error-prone
“Public clouds are, by and large, homogeneous infrastructures with embedded monitoring capabilities that are ubiquitous and have centralized security administration and threat remediation tools built on top,” Konstantas told Help Net Security.
But cloud customers must train anew on the use of these tools and be properly staffed to leverage them and to coordinate amongst the various security disciplines – and this is hard to do as cybersecurity expertise is at historic shortage.
“Customers don’t want more tools, they want the benefit of cloud service provider innovation and expertise to address the challenge. At this point, we need reliable, accurate security configuration management and threat response that is automated,” Konstantas opined.
This is the direction in which she expects cloud-native security to go in the next five years. She believes we are likely to see a shift away from discussions about the shared responsibility model and more toward making customers cloud security heroes through automation.
“Automation really is central to effective cloud security. Just take the example of data and consider the volume of data flowing into cloud hosted data bases and data warehouses. Classifying the data, identifying PII, PHI, credit cards etc., flagging overly permissioned access, and requiring additional authorization for data removal – all these things have to be automated. Even the remediation, or prevention of access needs to be automated,” she noted.
Cloud providers will have to break through customers’ fear that automated security means breaking business by over-reacting to false positives, but those that find a way to excel in using machine learning, model tuning and artificial intelligence for effective and accurate automated threat prevention will deservedly earn customer confidence – and not a moment too soon.
Is it safe to put critical enterprise workloads in the public cloud?
Without a doubt, the public cloud has proven a worthy alternative to private data centers by offering high resilience to threats and rapid security incident recovery. But not all public cloud providers are the same when it comes to expertise or built-in security.
Organizations with sensitive data and workloads must find those that will offer adequate security, and can do so by asking many questions and evaluating the answers.
Konstantas proposes the following (though the list isn’t exhaustive):
- What are your data protection, detection, response and recovery capabilities for both structured (database) and unstructured (object storage) data?
- How do you protect against hypervisor-based attacks, cross tenant infection, hardware-based attacks?
- Which customer-controlled security functions are built into your cloud and are they charged for?
- Which parts of security configuration, detection and threat remediation are automated on your platform and to which services do they apply (i.e. IaaS, PaaS, SaaS)?
For the CISO that has to work with the CIO to lead a massive migration of the organization’s data to the cloud, she advises to get as much visibility into the project as possible.
“CISOs need to prepare answers for how the organization will meet its regulatory and compliance obligations for the data during the migration and once fully operational in the cloud,” she explained.
Again, there are many questions that must be answered. Among them are:
- How will security coverage look after the migration as compared to what is being done on premises?
- How will security posture visibility and effectiveness increase?
- What cost savings will be incurred on security spend by adopting built-in cloud security?
- How will holistic cloud security posture be communicated to the CIO and board of directors?
“If the CISO is working with a cloud security provider that understands critical enterprise workloads, they will have ample support and guidance in preparing and documenting these answers because enterprise-focused CSPs have deep experience with the specific requirements of global companies, complex enterprise applications and data residency and sovereignty requirements. Enterprise-focused CSPs staff teams ready to share those insights and furnish the proof points customers require,” she concluded.