Traditionally, data and IT infrastructure were effectively protected with a perimeter-based approach. This strategy worked well when we could readily identify what was “inside” and what was “outside” the perimeter.
Now, that’s all changing. It’s increasingly harder to define the perimeter, and even harder to defend it. One reason is that enterprises are transitioning to cloud-based infrastructure that not only faces traditional threats - like malicious insiders and application access vulnerabilities; they’re also facing some new threats – like BYOD, over-privileged users, and persistent access by third-parties.
Just a few years ago, security was the main concern for enterprises contemplating large-scale cloud adoption. These concerns are still valid today. Nonetheless, cloud is here. Forrester Research forecasted public cloud computing to reach $57 billion in 2013 exploding to over $157 billion by 2020, and researchers at Deutsche Bank predict that big banks’ use of cloud will ramp up “materially” in 2017. IT security professionals need to transform their thinking from whether to move to cloud, to how to best manage the transformation and mitigate the risks.
To do that they need to resolve the crucial conundrum - how can applications and infrastructure be trusted and controlled when organisations give up both to their cloud providers?
The cloud security conversation evolves
User access controls that were designed to secure on-premises solutions are straining to secure cloud environments. This is a significant challenge for an increasing number of enterprises. Private cloud adoption is on the rise (an increase from 63 per cent to 77 per cent) helping to drive hybrid cloud adoption up from 58 per cent to 71 per cent year-over-year according to RightScale’s 2016 State of the Cloud Report.
In the vast majority of enterprises, a significant percentage of their resources, development and used services will be in the cloud. Half (51 per cent) of businesses will have reached cloud maturity within two years. For hybrid cloud adoptions, traditional barriers, such as concerns over security, are being compounded by operational concerns such as managing multiple IT architectures and network bandwidth.
Why is cloud a security advantage now?
The security benefits of public cloud environments can be a potential game-changer in the arms race between enterprise defenders and cyber adversaries – if managed properly. As outlined by AWS, public cloud security is a shared responsibility. AWS takes responsibility for security ‘of’ the cloud, but puts the onus on the customer for security ‘in’ the cloud.
For all organisations adopting cloud, the focus shifts from areas that benefit from a collective approach. These include physical security for your servers and other resources that you deploy in the cloud. It also covers employee screening, patching, vulnerability management and updating operating systems and updating software. When done collectively by a dedicated cloud service provider, this can bring increased efficiencies to overall security posture.
What remains are more enterprise-specific concerns, such as user access. In this area, the primary consideration is how to properly balance user needs (wide open access) with security requirements (fine-grained controls). Adopting a Software-Defined Perimeter (SDP), a security model that dynamically assigns network permissions to each user, helps balance these needs. SDP ensures that all users attempting to access a given resource in the cloud are authenticated and authorised prior to accessing any resources on the network.
All unauthorised network resources are made inaccessible. This not only applies the principle of least privilege to the network, it also reduces the attack surface area by hiding network resources from unauthorised or unauthenticated users.
What cloud offers is shared resources for getting security right
Many organisations have taken steps to create deterrents for the adversary, as for too long it’s been low risk and high profit for them. Cloud can play a part in changing that equation. If managed correctly, cloud could just be the game changer we’ve all been looking for.
Leo Taddeo, CSO of Cryptzone
Image source: Shutterstock/faithie