Written by Kaus Phaltankar
Cloud security and compliance questions continue to escalate
dramatically - but maybe not for the reasons you suspect. Ever since the cloud
took off as a business necessity, there has been suspicion that anything you
place in the cloud will be stolen in a digital break-in because - after all -
the cloud is ultimately "
someone else's
computer," not your own internal servers. Yet this paranoia has largely
been dispelled for those in the know. In reality, most cloud providers are very
good at security and availability - in fact economies of scale mean they are actually
better than many businesses at
configuration management, application performance, disaster recovery and other
data center essentials. So why the "cloud security" alarm? When you look past
the sound bites and headlines - like recent reports of
corporate data
turning up exposed in Box - you realize that the problem is not cloud
providers themselves being mercilessly "hacked" by exotic malware. Rather, its
missteps and blind spots in how customers
use
tremendously powerful, on-demand cloud systems that put them at risk.
Speed and scale matter, both in capturing business opportunities and as
threat catalysts. If the latest, sleekest workstations and laptops are hot rods
and performance coupes - then think of cloud systems as a Formula One supercar, in comparison:
Incredibly fast and remarkably stable at high speeds. But even small overcorrections
and blind spots can have severe, cascading consequences. For example, finding
out the confidential folder you set up in Box has a URL that can be guessed and
accessed remotely feels like grazing a wall at 150mph.
Now picture these supercars becoming very affordable and everyone is leasing
one to go head-to-head against their nearest rival, even if they are not
entirely sure how the car handles or what the track looks like. This is kind of
like what cyber risk management can feel like in the cloud today. Companies are
banking on a lot of horsepower and trying not to get hurt in the process.
With this in mind, here are three practical approaches for uncovering
and getting ahead of data security and compliance hot spots in the cloud,
before they become potholes in hairpin turns.
First - find your clouds
It sounds deceptively silly, but "What do we mean by ‘cloud?'" is a
crucial, foundational question - particularly in companies comprised of
mergers, diverse business units and other variables. For some, "cloud" means
using a business application hosted off-premises, like a CRM database. For others,
it means a highly elastic workspace where developers build apps and offload the
storage of massive datasets. Or, cloud could refer to some sort of internal
corporate "private" cloud - and one or more of the aforementioned other cloud
varieties. This is what we generally call hybrid cloud - your cloud assets,
plus others' - and is the model more and more companies find themselves in,
particularly when you use clouds as connective tissue between a company and its
third-party developers, data providers or other business partners.
These labels are not just buzzwords or academic terms - they determine
your attack surface and the reach of security controls you already own or use
through providers. For example, if you have legacy data center firewalls around
your company's private cloud, that leg of your cloud footprint might be
adequately controlled - but your developers' or partners' public clouds
(accessing the same data) might be a different story. Conversely, maybe you
rely entirely on your cloud providers' dashboards for security and compliance.
One could argue this is a cost-effective use of built-in tools you are paying
for, already - but it can also increase switching costs and keep you uncomfortably
bound to that provider.
Security is always about risk tolerance and trade-offs, so you need to
consider the assets and needs of your business, consolidate clouds where you
can and decide to what degree you rely on providers for data control or roll
out your own, independent security controls to span all these environments.
Back to our supercar analogy: Are the engine, transmission and suspension coming
from the same place? If not, how do we make sure they work well together?
Forge a team to rebalance risk
This might sound unusual, but it is dangerous and counterproductive for
CISOs and compliance overseers to undertake cloud security alone and only hold
meetings with each other. Back in the old network perimeter-driven days,
security pros were gatekeepers who benefited from data being kept "inside" by
default. But in the cloud era data is "shared" by default and the risk equation
is much different.
Your developers, line of business leaders and other non-security
stakeholders need to be part of a cross-functional team that looks at how the
company uses and protects cloud-dependent data and processes, effectively. Because
cloud capacity and workflows are so fluid, it is not uncommon for a dozen or so
corporate departments to spin-up cloud apps and instances for everything from
being first-to-market to rapidly prototyping test cases. Because complexity is
the natural enemy of security and compliance, enlisting even a handful of
stakeholders in meetings can at least uncover shared uses, risks and normalize
practices across the board, at least when it comes to the most volatile actions
(think of handling live production data or sharing it outside the company).
This is your pit crew - they may not be responsible for the entire race outcome,
but they need to make sure their line of work in tires, fuel and process
improvement does not hinder performance or safety.
Study workflows and ask
questions
In racing and IT strategy, numbers are everything. The trade secrets of
motorsports are all about interpreting data like diagnostic feeds and
statistics race-over-race in different climate, location and other patterns.
Likewise, metrics are crucial for cloud decision-making - whether for risk
management reporting up to the board or proving your business digital
transformation is on-pace and on-target.
In the cloud, the best way to scope risk and scout the curves ahead is
to follow where data travels. Do not rely on raw numbers of cloud usage costs
and statistics. Look operationally at where your data flows for a complementary
picture of when and how your crown jewel information touches things that could
introduce the greatest risk. This helps eliminate blind spots and establish
objective rationale for why an IT decision or business process might need to be
changed for the greater good. A lot changes constantly in the cloud, let alone
at the speed of business, so make this a recurring theme of prioritizing
visibility and control. Make it the norm to ask questions about how new types
of data and processes change the shape of things. As Pirelli's famous tire tagline goes, "Power is nothing without control."
The same is true in the cloud and without a consolidated view of workflows,
users and activity you have no means to exert control - and will feel a lot of
bumps in the road.
Those of us steeped in security and compliance are realizing our role
can no longer be about saying "No." We must become responsible risk advisors
and safe enablers of the highly competitive global races our organizations are
entering with ever more powerful cloud engines. It is our job to better
instrument these vehicles and minimize high-speed surprises and single points
of failure by tuning the cloud's sheer state-of-the-art flexibility to be more
of a security and compliance advantage, not a question mark. Risk always comes
with opportunity and accidents happen, but we do not need to settle for
unchecked hazards.
##
About the Author
Kaus Phaltankar, CEO & Co-Founder at
Caveonix
Kaus Phaltankar most recently
served as a Senior Vice President for Dell Technologies. Before that Kaus was
Global President of Virtustream Security Solutions, a Dell Technologies
company, where he was an evangelist and a technology leader developing
compliance and risk management solutions for private, public and hybrid clouds,
globally.
Kaus was the founder
and CEO at ViewTrust Technology where he developed and implemented solutions
for cloud and enterprise Governance, Risk and Compliance (GRC) and Continuous
Compliance Automation and Risk Monitoring. Virtustream acquired ViewTrust in
2014.
Kaus has US patents for
designing advanced data center architecture for the highest level of resiliency
and reliability and authored the book "Implementing Secure Intranets and
Extranets," with a foreword by Internet pioneer Dr. Vint Cerf. He has presented
at the World Bank, AFCEA, and the National Defense University, and is an
adjunct professor at the University of Miami, teaching a course in Cyber
Security.