Rake Narang: As companies work to migrate their business to the cloud, what are some misperceptions about the risk of mitigating cloud servers?
David Meizlik:‘Cloud’ is one of the most used and least understood words in technology, so it’s little surprise that there are misperceptions about its risks. Here are a few:
Misconception #1) The cloud provider is securing your server
In a recent security study, 39% of IT security professionals think their provider will let them know if their cloud server was hacked. I call these folks wishful thinkers. In fact, most providers have SLAs and monitor only for issues involving infrastructure availability, not server security. Providers are responsible for the infrastructure, not how you use it.
Misconception #2) Cloud is like any other infrastructure I have today
Maybe, but how you use and secure that infrastructure is tremendously different. If you think what you’ve done for years in your network can be replicated in the cloud…think again. Remember that you don’t own the infrastructure and you can’t just walk down the hall to resolve a problem. What’s more, very few of your controls extend to the cloud. Fundamentally, as you re-architect you infrastructure for the cloud, you need to think about how you re-architect your security to match.
Misconception #3) I know what I’m doing
Um, no you don’t. But don’t feel bad – few really do. The cloud is new and different, and comes in so many flavors that it’s virtually impossible for anyone to have an exact fix on things. But start with the basic lines of defense like firewalling, encryption, and malware protection, and rethink their applications (see misconception #2).
Rake Narang: What are the barriers to efficiently managing security in a cloud server, and what are the necessary requirements to securing the cloud server?
David Meizlik: The greatest barrier to managing security in the cloud is elasticity. Traditional security has never been designed to scale efficiently. Sure – it’s been designed to support large infrastructure; but it hasn’t been built to scale on-demand. Hence, traditional controls are not nearly as elastic as the cloud infrastructure, which presents a nightmare scenario for IT security professionals. Take the firewall, for example. In a traditional datacenter you might have 100 servers behind a single, perimeter firewall. In the cloud, however, there is no perimeter, so instead of managing a single perimeter firewall you’re managing the firewalls for all 100 servers. So your management just scaled up 100X, but your headcount remained the same. And while you might have 100 server firewalls at 10 am, by noon you might double you server count.
What’s more, most traditional security has been designed to secure within the corporate perimeter, not outside it or across multiple clouds. So, very few tools typically used (e.g., IDM, Firewall, Encryption, etc.) can extend from the corporate network to the cloud, or across multiple cloud providers. This leaves IT with the challenge of having to rethink and rebuild security for the cloud, duplicating controls and processes for a much more elastic environment where most are not designed to protect.
Rake Narang: Who is responsible for managing cloud security risks?
David Meizlik: The provider is responsible for delivering a secure infrastructure; however, it’s the responsibility of each user to ensure they’re using it safely. In particular, the operating system and application stack are the responsibility of the cloud user. I liken this to automobile manufacturers – they’re responsible to build a safe and dependable car, but it’s up to you to drive it defensively and follow the rules of the road. The same is true in the cloud.
Ultimately, only the cloud user can decide how they’re going to use the cloud and settle on an acceptable level of risk. So, while both the provider and user share a responsibility for managing cloud security, the onus is on the user to determine what specific technologies and processes to apply to ensure security.