Cloud Security: Time to “Wise Up”

December 15, 2014 | Russ Spitler

The market for cloud, or Internet, computing, in which software and information is available on demand, has surged in recent years. Market research firm IDC expects businesses worldwide to spend $57.4 billion by the end of this year - double that of only a few years previously. Does this signal a brave, new world of 'cloud without borders' and is this necessarily the right way to go? How safe is your information in the cloud and who really has control over it?

Cloud computing presents a major opportunity for the security industry. Unfortunately, whether that opportunity is for success or failure is, as of yet, unwritten.

The opportunity of cloud computing is the centralization and normalization of data management and infrastructure. Instead of relying on every company building out secure development practices and strong operation security processes, there is now opportunity to centralize that responsibility on a few cloud providers.

Alongside this centralization, we also have a shift in technology, such as heavily multi-tenanted environments, adoption of virtualization and software defined networking. All of these changes give us an opportunity to inject security controls in a uniform way as these services are created in the cloud. It’s an opportunity to start with security built-in from the ground up; and surely that is a much better proposition than security as an afterthought.

Everything from data encryption to access control could be improved as we make this transition. Some cloud providers take this very seriously and have been very forward thinking about how to provide secure cloud services. However, as we look to the cloud to help us address some of the problems of the past, new problems arise. How does one take advantage of these new features and capabilities, and how does one ensure they are not exposing themselves in new and unfamiliar ways?

Amazon AWS is a great example of a provider who has been forward thinking when it comes to security. It has a very rich feature set to automate your environment, but has also introduced a large set of new security features. These new features mean that users need to educate themselves on how to securely use them.

A great example that happened this summer was a slew of AWS servers running Elasticsearch, a data storage technology, which was compromised by malware. The problem was that users did not understand that this technology should never have been made available on the internet in the first place and thus it was subjected to hackers. This was not an example of the cloud being insecure; it is an example of how new AWS users are not understanding how to restrict access to their running services using the new features AWS provides.

Yet, we hear about these kinds of stories time and again; one could almost be forgiven for thinking these incidents point to cloud being less secure than other environments. But this would be irresponsible because, like so many other areas of security, it is simply a case of user education.

Yes, the cloud presents huge business benefits, but no one should enter blindly into the relationship without a clear picture of each side’s responsibilities. Therefore, the chance of failure comes in equal measure for both the consumer and the cloud provider. We cannot afford to be ignorant customers in this market; we must hold providers up to high standards as far as their operational controls and practices. Certainly this is possible, but it is also critical for users to look to their providers for assurance that they are doing their part to secure their data.

So, there is not only a technology case for the opportunities that the cloud presents when it comes to security, but also one of education, consultancy and regulation- making sure that providers are accountable and have a certain duty of care to let customers know that they also have their own responsibilities when it comes to the security of their data and applications running in the cloud.

There are impressive efforts by organizations such as the Cloud Security Alliance that are making headway on this, but we need to keep these issues at the forefront of the conversation as we move to the cloud to ensure we do not let security take a back seat.

Russ Spitler

About the Author: Russ Spitler

Russell Spitler brings over a decade of experience building products and startup companies that secure companies across the globe. Russ currently serves as the AVP of Products at AT&T Cybersecurity where he is responsible for cybersecurity product strategy and the execution of the cybersecurity product roadmap that has resulted in the acquisition of over 7,000 commercial customers and over 20,000 open source users during his tenure. Russ was also one of the founders and a driving force behind AlienVault's Open Threat Exchange- a crowd-sourced threat intelligence community with over 100,000 active users from more than 140 countries. His leadership and focus on practical and effective threat detection has helped establish AlienVault's open-source and commercial products as an undisputed industry leader. Prior to AT&T, Russell served in engineering and product management roles at Fortify Software. Russ was instrumental in developing and maturing the Fortify product suite that dominated the application security testing market earning the leadership position in the Gartner MQ for 11 straight years. Fortify's 750+ customers included all 10 of the world's 10 largest banks and all the major branches and agencies within the US DoD. Russell frequently contributes articles and quotes for major news outlets and regularly presents at industry conferences such as RSA, and BlackHat.

Read more posts from Russ Spitler ›


Get price Free trial