Following up from our hugely successful tweetchat around threat intelligence, we initiated another community mind-meld and sought to tackle some of the prevalent themes around cloud security.
We don’t believe in beating about the bush on these things, so we jumped in head-first and asked what people believed to be the biggest cloud security misconceptions. Our own Garrett Gross got the ball rolling
Which raises an interesting point about how some conventional security methods cannot be achieved as easily in the cloud. Cloud application services or Software as a Service (SaaS) uses the web to deliver applications that are managed by a third-party vendor. Examples of SaaS would include Google Apps, Salesforce, Concur and so forth. In these instances, data is stored and processed on the service providers infrastructure so security techniques such as data encryption or tokenization may not work in the same way as on-premise deployments – or not at all.
Cloud infrastructure services or Infrastructure as a Service (IaaS) are self-service models for managing applications, data, runtime, middleware and OS’s. There are a lot more intricacies of managing security. As Garrett elaborated, scanning for vulnerabilities may land you in hot water with your IaaS provider.
This raised an interesting issue which tied in nicely with a comment made by Stuart Coulson that when companies move to the cloud, they often make the incorrect assumption that all security is the responsibility of the cloud which was echoed by others.
Jitender Arora reminded that even if a cloud provider takes on board some aspects of security, if you operate in a regulated environment, those regulations extend into the cloud which remain the responsibility of the customer.
Garrett offered some clarification by way of the Amazon Shared Responsibility model which lays out which areas of security fall under Amazon and its customers.
With a consensus reached that at least a portion of security remains the responsibility of the customer, we decided to probe how companies were going about identifying vulnerabilities in the cloud which can prove to be trickier than expected.
I do agree with Garrett’s point that parsing of cloud logs is the way to go. Although, I was only somewhat joking about going blind after being first exposed to cloud logs. The format and detail of which are quite different from traditional logs.
Next up, we asked what criteria are most important when evaluating cloud providers which generated a variety of responses.
Whilst certifications got a number of nods, it was noted that the scope of a certification is of great importance and should always be considered.
As with nearly all things security though, not every answer is straightforward and a lot will depend upon the individual needs of a particular business.
Next up, we got onto quick tips around securing data in the cloud to which Stuart and Garrett touched upon the topic as to whether a cloud environment could ever truly be secure.
Paranoia aside, it raises a valid point that just because an application or infrastructure can be moved to the cloud, it doesn’t necessarily mean it should. Risk assessment remains a fundamental part of a cloud strategy. To which I injected the point that data classification is probably a good starting point.
Stuart responded somewhat cynically that vendors are likely to put profits ahead of customer security.
Finally we asked how companies were monitoring cloud for activity, usage and appropriateness. I kicked things off by stating the obvious.
Garrett elaborated further to explain how usage is one of several cloud-specific indicators of compromise.
Other indicators of compromise are not always so easy to spot as Stuart mentioned. Before anomalies can be detected, a baseline of what normal activities look like need to be established. I shared a link to Rich Mogul’s post where he recounts an incident where he left his AWS access keys on github and someone used them to mine bitcoins.
All in all it was another very informative and entertaining tweetchat. It’s opportunities like these that allow us to gather a wide variety of comments, views and opinions. It’s not an attempt to settle all disputes and boil the ocean, but does allow for some collaboration and pondering.
Perhaps Garrett summed up a lot of what represents the cloud security challenges in one tweet.