Is this cloud security Nirvana?
While many organizations moved to the cloud to try to simplify their IT management, including improve security, they’re learning that it’s not as simple as “shift applications to the cloud and watch the magic happen.”
It’s not that most organizations viewed (or still view) it that way, but many did and still do. It’s why it’s been a rough couple of years for cloud security. And while recent vulnerabilities disclosed such as Spectre and Meltdown have cast a long shadow over the ability of enterprises to defend themselves (in all environments but especially cloud environments) enterprises need to be (as always) vigilant for potential exploitations.
One thing I am certain of in all of this? Past and current security concerns are not expected to cast any shadow on cloud sales in the years ahead. And current predictions are vigorous. The market research firm QYResearch estimated the global cloud computing market will grow roughly 26 percent from last year (2017) through 2022.
This current bevy of hardware flaws won’t slow that demand down any time soon. According to a report from Synergy research, and reported in CRN, the overall cloud market grew 24 percent last year. “Over the four quarters leading up to September of 2017—essentially Q4 of 2016 to Q3 of 2017—cloud sales, including on all services and all infrastructure products used for building clouds, achieved an overall market of $180 billion,” Joseph Tsidulko wrote in his story Cloud Computing: Now A $180 Billion Market.
According to the story, cloud infrastructure and platform services grew 47 percent, with hosted private cloud growing 30 percent. That’s quite a clip.
The unfortunate reality is, however, that many organizations don’t need a low-level hardware flaw in the infrastructure of their cloud providers to make themselves vulnerable. They can do that all on their own. Perhaps it was the rush to cloud that is part of the reason why there have been so many cloud related breaches, such as when a poorly configured AWS S3 bucket exposed thousands of military and intelligence personnel records to unauthorized public access. According to the story Thousands of military contractor files allegedly left online, unsecure, published in The Hill, those files included personal contact information.
“Chris Vickery, a researcher at security firm Upguard, said he discovered the unsecured set of resumes on a public-facing Amazon cloud server in July that was not protected by any form of login. Typically, this is the result of misconfigured security settings,” the story continued.
It’s certainly not the only example last year. Verizon exposed millions of customer records due to another unprotected S3 bucket. Dow Jones experienced a similar gaffe. In fact throughout 2016 and 2017 we witnessed many poorly configured cloud-based databases being breached.
Not good and completely avoidable with a minimal of effort.
As if organizations weren’t having a challenging enough time keeping their environments secure, along came the vulnerabilities Meltdown and Spectre just recently made public by Google. These hardware flaws affect most every current processor and, through exploitations against “speculative” code execution, attackers can capture passwords and private encryption keys. Filip Truta provides an overview in his post, Meltdown and Spectre: decades-old CPU design flaws put businesses at risk.
Fixing these hardware flaws can have significant impact on cloud systems performance. “Not only did we see considerable slowdowns for many applications, we also noticed inconsistent performance, since the speed of one application could be impacted by the behavior of other applications running on the same core. Rolling out these mitigations would have negatively impacted many customers,” wrote the Google Cloud team in this blog post.
Most cloud service providers run proprietary systems to run their workloads, so end users may, or may not, know how well they are protecting their systems. But we do know most everyone who uses cloud are affected by these flaws.
Most organizations don’t have just one, or two, or three cloud service providers to worry about. According to RightScale’s 2017 State of the Cloud Report, 85 percent of survey respondents are using multi-cloud, with most running production applications in four clouds. “Companies now run 79 percent of workloads in cloud, with 41 percent of workloads in public cloud and 38 percent in private cloud. It’s important to note that the workloads running in private cloud may include workloads running in existing virtualized environments or bare-metal environments that have been “cloudified,” the report found.
Turns out the move to cloud wasn’t the security nirvana many (incorrectly) expected. And effective cloud management requires all of the things that traditional and on-premises systems require — good asset management, classification of data and resources, having the right security controls in place and monitored; as well as good incident response and business continuity plans.
So as enterprises clouds scale, as we’ve seen, so will threats and other risks to cloud apps and data. This is why cloud security strategy has to scale as cloud adoption grows more complex. One good place to start, or make sure your organization’s cloud security strategy is on point is, the Cloud Security Alliance’s most recent Guidance for Critical Areas of Focus in Cloud Computing 4.0 is a great place to start.
The guidance 4.0, as described by the Cloud Security Alliance, acts as a practical roadmap for those seeking to safely and securely adopt the cloud model.
According to the alliance, about 80% of the guidance was rewritten to better represent the current and future state of cloud computing security, and reflects real-world security cloud practices.
While we are still a long way away from cloud security Nirvana, there’s much enterprises and other organizations can do to bring more serenity to their current environments.
tags
George V. Hulme is an internationally recognized information security and business technology writer. For more than 20 years Hulme has written about business, technology, and IT security topics. From March 2000 through March 2005, as senior editor at InformationWeek magazine, he covered the IT security and homeland security beats. His work has appeared in CSOOnline, ComputerWorld, Network Computing, Government Computer News, Network World, San Francisco Examiner, TechWeb, VARBusiness, and dozens of other technology publications.
View all postsDon’t miss out on exclusive content and exciting announcements!