Virtualization Technology News and Information
Go With the (data) Flow: Three Ways to Find Hidden Security Risks in the Cloud Era

Written by Kaus Phaltankar

Cloud security and compliance questions continue to escalate dramatically - but maybe not for the reasons you suspect. Ever since the cloud took off as a business necessity, there has been suspicion that anything you place in the cloud will be stolen in a digital break-in because - after all - the cloud is ultimately "someone else's computer," not your own internal servers. Yet this paranoia has largely been dispelled for those in the know. In reality, most cloud providers are very good at security and availability - in fact economies of scale mean they are actually better than many businesses at configuration management, application performance, disaster recovery and other data center essentials. So why the "cloud security" alarm? When you look past the sound bites and headlines - like recent reports of corporate data turning up exposed in Box - you realize that the problem is not cloud providers themselves being mercilessly "hacked" by exotic malware. Rather, its missteps and blind spots in how customers use tremendously powerful, on-demand cloud systems that put them at risk. 

Speed and scale matter, both in capturing business opportunities and as threat catalysts. If the latest, sleekest workstations and laptops are hot rods and performance coupes - then think of cloud systems as a Formula One supercar, in comparison: Incredibly fast and remarkably stable at high speeds. But even small overcorrections and blind spots can have severe, cascading consequences. For example, finding out the confidential folder you set up in Box has a URL that can be guessed and accessed remotely feels like grazing a wall at 150mph.

Now picture these supercars becoming very affordable and everyone is leasing one to go head-to-head against their nearest rival, even if they are not entirely sure how the car handles or what the track looks like. This is kind of like what cyber risk management can feel like in the cloud today. Companies are banking on a lot of horsepower and trying not to get hurt in the process.

With this in mind, here are three practical approaches for uncovering and getting ahead of data security and compliance hot spots in the cloud, before they become potholes in hairpin turns.

First - find your clouds

It sounds deceptively silly, but "What do we mean by ‘cloud?'" is a crucial, foundational question - particularly in companies comprised of mergers, diverse business units and other variables. For some, "cloud" means using a business application hosted off-premises, like a CRM database. For others, it means a highly elastic workspace where developers build apps and offload the storage of massive datasets. Or, cloud could refer to some sort of internal corporate "private" cloud - and one or more of the aforementioned other cloud varieties. This is what we generally call hybrid cloud - your cloud assets, plus others' - and is the model more and more companies find themselves in, particularly when you use clouds as connective tissue between a company and its third-party developers, data providers or other business partners.

These labels are not just buzzwords or academic terms - they determine your attack surface and the reach of security controls you already own or use through providers. For example, if you have legacy data center firewalls around your company's private cloud, that leg of your cloud footprint might be adequately controlled - but your developers' or partners' public clouds (accessing the same data) might be a different story. Conversely, maybe you rely entirely on your cloud providers' dashboards for security and compliance. One could argue this is a cost-effective use of built-in tools you are paying for, already - but it can also increase switching costs and keep you uncomfortably bound to that provider.

Security is always about risk tolerance and trade-offs, so you need to consider the assets and needs of your business, consolidate clouds where you can and decide to what degree you rely on providers for data control or roll out your own, independent security controls to span all these environments. Back to our supercar analogy: Are the engine, transmission and suspension coming from the same place? If not, how do we make sure they work well together?


Forge a team to rebalance risk

This might sound unusual, but it is dangerous and counterproductive for CISOs and compliance overseers to undertake cloud security alone and only hold meetings with each other. Back in the old network perimeter-driven days, security pros were gatekeepers who benefited from data being kept "inside" by default. But in the cloud era data is "shared" by default and the risk equation is much different.

Your developers, line of business leaders and other non-security stakeholders need to be part of a cross-functional team that looks at how the company uses and protects cloud-dependent data and processes, effectively. Because cloud capacity and workflows are so fluid, it is not uncommon for a dozen or so corporate departments to spin-up cloud apps and instances for everything from being first-to-market to rapidly prototyping test cases. Because complexity is the natural enemy of security and compliance, enlisting even a handful of stakeholders in meetings can at least uncover shared uses, risks and normalize practices across the board, at least when it comes to the most volatile actions (think of handling live production data or sharing it outside the company). This is your pit crew - they may not be responsible for the entire race outcome, but they need to make sure their line of work in tires, fuel and process improvement does not hinder performance or safety.

Study workflows and ask questions

In racing and IT strategy, numbers are everything. The trade secrets of motorsports are all about interpreting data like diagnostic feeds and statistics race-over-race in different climate, location and other patterns. Likewise, metrics are crucial for cloud decision-making - whether for risk management reporting up to the board or proving your business digital transformation is on-pace and on-target.

In the cloud, the best way to scope risk and scout the curves ahead is to follow where data travels. Do not rely on raw numbers of cloud usage costs and statistics. Look operationally at where your data flows for a complementary picture of when and how your crown jewel information touches things that could introduce the greatest risk. This helps eliminate blind spots and establish objective rationale for why an IT decision or business process might need to be changed for the greater good. A lot changes constantly in the cloud, let alone at the speed of business, so make this a recurring theme of prioritizing visibility and control. Make it the norm to ask questions about how new types of data and processes change the shape of things. As Pirelli's famous tire tagline goes, "Power is nothing without control." The same is true in the cloud and without a consolidated view of workflows, users and activity you have no means to exert control - and will feel a lot of bumps in the road.

Those of us steeped in security and compliance are realizing our role can no longer be about saying "No." We must become responsible risk advisors and safe enablers of the highly competitive global races our organizations are entering with ever more powerful cloud engines. It is our job to better instrument these vehicles and minimize high-speed surprises and single points of failure by tuning the cloud's sheer state-of-the-art flexibility to be more of a security and compliance advantage, not a question mark. Risk always comes with opportunity and accidents happen, but we do not need to settle for unchecked hazards.


About the Author


Kaus Phaltankar, CEO & Co-Founder at Caveonix 

Kaus Phaltankar most recently served as a Senior Vice President for Dell Technologies. Before that Kaus was Global President of Virtustream Security Solutions, a Dell Technologies company, where he was an evangelist and a technology leader developing compliance and risk management solutions for private, public and hybrid clouds, globally.

Kaus was the founder and CEO at ViewTrust Technology where he developed and implemented solutions for cloud and enterprise Governance, Risk and Compliance (GRC) and Continuous Compliance Automation and Risk Monitoring. Virtustream acquired ViewTrust in 2014.

Kaus has US patents for designing advanced data center architecture for the highest level of resiliency and reliability and authored the book "Implementing Secure Intranets and Extranets," with a foreword by Internet pioneer Dr. Vint Cerf. He has presented at the World Bank, AFCEA, and the National Defense University, and is an adjunct professor at the University of Miami, teaching a course in Cyber Security.

Published Monday, March 25, 2019 6:51 AM by David Marshall
Filed under: ,
Caveonix RiskForesight??? solution is now generally available on IBM Cloud for VMware Solutions (IC4V) - Secure and Compliant On-Ramp to Hybrid and Multi-Cloud - (Author's Link) - March 25, 2019 2:04 PM
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
<March 2019>