When it comes to successfully managing cloud use within the enterprise, some security organizations try to establish and enforce firm lines between what is permissible and what is banned, while others try to learn what their employees are trying to achieve and help them do so more securely.
To get a sense of what enterprises think about cloud deployments and cloud security, we recently reached out to Jim Reavis, cofounder and chief executive officer at the Cloud Security Alliance. As a nonprofit, the Cloud Security Alliance promotes the use of security assurance best practices in cloud computing, as well as cloud computing education.
Reavis is an information security industry vet and has advised on industry business launches, mergers and acquisitions, and IPOs. Since its founding, the Cloud Security Alliance has launched numerous successful cloud security efforts, including the cloud security provider certification program, the CSA Security, Trust & Assurance Registry (STAR), a cloud provider assurance program of self assessment, third party audit and continuous monitoring, and the cloud security user certification the Certificate of Cloud Security Knowledge (CCSK). The Cloud Security Alliance also provides research programs in collaboration with the industry, higher education, and governments in areas of cloud computing, mobile, and Internet of Things.
In your role as president of the Cloud Security Alliance, where do you see the state of enterprise cloud adoption right now?
When it comes to cloud, enterprises are really all in. They're doing a lot more of their mission critical activities in cloud. The security around their cloud implementations is growing as well. Enterprises are getting better at securing their cloud environments and you’re seeing the tier one cloud providers certainly investing in the security of their services. And because of the scale of their services, they can invest in security in ways that enterprises just can’t on their own.
We're also starting to see the impact of the economics and scale when it comes to security investments, and that’s true whether it’s sophisticated intrusion detection, identity management, event monitoring, or whatever: they’re building a level of security in their systems that surpasses what a typical enterprise can do. Their level of investment is why we’re seeing that the bad guys will target cloud users and not try to breach the cloud provider itself directly because they are much more secure.
Gentle policing isn’t meant to inhibit cloud usage as much as help to guide the organization to the more secure options that are available. Enterprises also are learning now how to transition into cloud and to understand the level of security they are getting from cloud providers. Enterprises will always have a role in securing their cloud deployments, whether it's more of the implementation of the technical controls inside private cloud or if it's more due diligence and procurement efforts and looking for the assurance from the providers that they adhere to secure practices.
That's interesting. What do you see the catalysts being to change how enterprises rethink cloud security?
It's human nature to become attached to our servers and systems. Many enterprises have this mentality, and they will even name their servers after pets. And with physical machines, they very much had a defensive posture that prized keeping that system up for years and years. If there was a breach, they would identify it and try to cleanse that system because the cost of taking things down, the cost of downtime, could be severe. That creates entropy and systems just lose a lot of stability.
What I’m seeing some of the enterprise leaders in this area do now, as a result of virtualization, orchestration, and automation tools, is, instead of finding and cleansing malware, they just destroy the virtual machine and launch a new instance that points to the data source. There’s no downtime and no loss of production time doing the forensics. They just basically reimage that virtual machine. They’ll do the forensics later in a different way, and after cleaning up and restarting their infected workloads.
When it comes to companies today that are successful in how they manage cloud in their environment, what are some of the things you see them doing to manage risk and embrace innovation, but in a mature way?
Gentle policing based on very strong knowledge of how their organization is using cloud is very important. This way, they look at what people are trying to accomplish with cloud, and can step in and consult. Gentle policing isn’t meant to inhibit cloud usage as much as help to guide the organization to the more secure options that are available, if users chose an option that wasn’t secure. This ends up being a very good way for enterprises to embrace a mature approach to provide guidance and not just say ‘no’ all of the time.
I also think that organizations are investing more into indicators of compromise as well as into being able to react more quickly when there is a breach. They understand that attack surfaces are becoming vast with the growth of apps and all the mobile endpoints. This creates a need for more agility in reacting to security issues and incidents. They are also investing more in sharing information in their industries, and we are seeing more interest in participating in ISACs or having more of these sorts of relationships to share best practices.
I would imagine that security analytics plays an important role here. Many of the things you just described have a lot of metadata and other data around them, so the need for security data analysis is probably much higher now than five years ago.
That's a really good point. A lot of what I was talking about when it came to investing in incident response included security analytics. A lot of that type of response requires that organizations invest in security analytics. Enterprises can gather all of their different data points across their infrastructure and cloud systems and see that certain data indicators probably increases their confidence level that a breach occurred, and then those data will help them to figure out what to do there.
This is transforming a lot of how we think about securing our systems. There's no doubt about that.