Back in 2011, while reporting at the annual information security RSA Conference held in San Francisco, I asked attendees, “What’s the most over-hyped issue in security?”
Universally everyone responded, “The cloud.”
The cloud might have been hype four years ago, though today it’s a necessary business driver. Unfortunately, confusion on its effective use has given rise to a series of industry myths, often imbuing fear in many CIOs.
What are the cloud security myths that keep circulating and what are their realities? Here’s what industry experts had to say:
1: The cloud is inherently insecure
“The biggest myth, which refuses to die, is that your data is not safe in the cloud,” argued Orlando Scott-Cowley (@orlando_sc), cyber-security specialist, Mimecast. “We’re still dealing with the legions of server huggers who claim their data is safer on their own networks, where they can feel the cold embrace of the tin of their servers and watch the small blinking lights in their server rooms.”
“There is a natural perception to believe that things outside of my control are innately less secure,” said Tim McKellips (@Mckellip), manager of technical services, Softchoice. “I think cloud providers like Microsoft are taking Herculean efforts to secure their environments in a way the average client could never do.”
Dozens of experts brought up this persistent myth, arguing that compared to your organization, cloud providers have greater expertise and more technical staff.
“Cloud companies are beginning to spend at a scale of great magnitude that cannot be matched by a single organization,” said Brennan Burkhart (@LiquidHub), partner, global salesforce practice lead, LiquidHub.
“Cloud computing boosts your security in a way that you will never be able to afford. This is because of the economies of scale,” continued Ian Apperley (@ianapperley), writer and IT consultant, whatisitwellington.
2: The cloud security debate is simple
“The cloud is less secure” argument discounts the many variables that go into making the cloud deployment decision, such as your organization’s size, existing in-house expertise, who your adversaries are, whether you need to do penetration testing for each deployment, and your organization’s need to scale.
The cloud doesn’t need to be seen as a binary decision. “It’s not a ‘yes or no’ or ‘allow or block’world,” said Sanjay Beri (@netskope), CEO and founder, Netskope. “There are now tools and capabilities that allow IT to enable cloud securely in any number of environments specific to unique requirements’ needs thanks to the ubiquitous nature of APIs.”
3: There are more breaches in the cloud
Once again, this myth simplifies a very complicated issue. According to the Spring 2014 Alert Logic Cloud Security Report, both on-premise and cloud hosting providers (CHP) saw a dramatic increase in vulnerability scans from 2012 to 2013, with CHP having a slightly greater increase. But depending on the type of attack, such as malware and botnets, on-premise was far more susceptible.
“When the correct security policies for preventing attacks and detecting them are implemented, attacks are no more threatening to the cloud than any other piece of infrastructure,” said Alastair Mitchell (@alimitchell), president and co-founder, Huddle.
“Public cloud vendors typically employ a strong team of security specialists and they also have the economies of scale to acquire cutting edge security appliances,” noted Torsten Volk (@TorstenVolk), vice president of product management, cloud, ASG Software Solutions. “Their reputation rides on it.”
4: Physical control of data implies security
“The biggest myth about cloud security is that control is the foundation of security, or lack of security,” said Praveen Rangnath (@splunk), director of Splunk Cloud, Splunk. “The foundation is visibility.”
“The various high profile security breaches over the past few months have served to highlight that the physical location of the data matters less than the access and associated controls,” added NaviSite’s general manager, Sumeet Sabharwal (@sabhas).
Believing in the data location myth diverts focus from the more common attack vectors, such as exploiting human social weaknesses and malware, said David Cope (@DavidJamesCope), executive VP of corporate developer, CliQr, who cited Verizon’s 2014 Data Breach Investigations Report as evidence of this trending security threat.
5: Cloud security is far too difficult to maintain
“Believing in this myth leads to companies either compromising security in the name of business requirements or refraining from using the cloud for mission critical applications,” continued Suleman.
The security issues are similar, noted Denny Cherry (@mrdenny), owner & principal consultant, Denny Cherry & Associates Consulting, “SQL injection (the biggest security risk to systems) is still a problem in the cloud and is addressed in exactly the same way as on premise. Firewall configurations, penetration testing, VPNs, etc. are all just as important when working with a cloud provider as they are when working on premise.”
6: You can build a perimeter around cloud applications
“With apps strewn across the internet, if a corporation thinks they can build one perimeter around all their apps, then they are nuts,” said Patrick Kerpan (@pjktech), CEO and co-founder, Cohesive Networks.
“People still think in terms network-based security, even when it comes to the cloud,” added Asaf Cidon (@asafcidon), CEO and co-founder, Sookasa. “They're still trying to protect their network from the cloud with reverse proxies and firewalls.”
“Security should extend down to each individual enterprise application,” Kerpan continued.
“Boundaries that are extended with cloud and boundaries are already broken with mobile and IoT,” said Tim Cuny (@OptimizewithCMI), VP of solutions, CMI. “Remove the old thinking of protecting perimeter boundaries and concentrate on a comprehensive risk management program that focuses on protecting assets from a people, process, and technology perspective.”
7: I’m not using the cloud so I’ve got better protection
Even though many might try to fool themselves into believing they’re not using the cloud, we’re all online and susceptible to many of the same threats.
8: Shadow IT can be stopped
Still, while IT can’t control the consumerization of IT, they are still the ones to blame for any technical issues.
“When business users suffer from poor application performance, including those with SaaS applications, IT is on the hook to resolve problems even though IT may not have anything to do with the infrastructure being used,” said Bruce Kosbab (@BruceKosbab), CTO, Fluke Networks. “To avoid this situation IT and the business must work together.”
“A fully representative cross-section of management, including the CEO, must be responsible for the design, deployment, and maintenance of cloud security policy and implementation,” added Steve Prentice (@stevenprentice), senior writer, CloudTweaks.
9: Cloud security is solely the cloud provider’s responsibility
“A common misconception is that the cloud provider automatically looks after all the security needs of the customer’s data and process while in the cloud,” said Jeff M. Spivey (@spiveyjms), VP of strategy, RiskIQ.
“Just being provided the tools to create, implement, and enforce security measures for cloud workflows does not inherently defer the business risk associated with an increased level of attack or compromise,” said Scott Maurice (@scottjmaurice), managing partner, Avail Partners.
“Password policies, release management for software patches, management of user roles, security training of staff, and data management policies are all responsibilities of the customers and at least as critical as the security being done by the public cloud provider,” added ASG’s Volk.
While you’re hardening internal security, don’t assume that your cloud provider backs up your data and will be able to restore it in case of a security breach.
“It is instrumental and critical that you implement a backup solution that backs up your data that is hosted on the cloud to an onsite backup or to another cloud provider,” said Bruno Scap (@MaseratiGTSport), president, Galeas Consulting. “In addition, in case of a security breach, you may need to restore your data from backups that you know are clean.”
10: You don’t need to manage the cloud
“Many believe that since the cloud infrastructure is often basically just a managed service, that the security of the services is also managed,” said Michael Weiss (@Oildex), VP, software engineering, Oildex. “Many cloud based systems are left inadvertently unsecured because the customer does not know that they need to do something to secure them, as they assume that the provider has done what an in-house security staff would traditionally have done by default.”
“Cloud security requires the same discipline for security of any data center,” said David Eichorn (@Zensar), associate VP and cloud expert with Zensar Technologies. “Cloud data centers are as resilient as any, but the weakness comes if the policies, processes and tools aren’t regularly monitored by the IT operations staff responsible.”
“Understand where that line is drawn. Who is responsible for what,” said Adrian Sanabria (@sawaba), senior analyst, enterprise security practice, 451 Research. “Generally, everything on the cloud provider’s network and in their data centers is covered at a low level. However, everything above the hardware layer and lower network layers is the customer’s responsibility.”
11: You can ignore BYOD and be more secure
“Not supporting and implementing a BYOD policy does not mean an enterprise will be less at risk of a data breach,” noted John Zanni (@jzanni_hosting), SVP of cloud and hosting sales, Acronis. “The BYOD movement is here to stay.”
Zanni recommends deploying a mobile content management (MCM) solution, as protecting the data will be what ultimately defines your business’ security and compliance requirements.
12: Cloud data isn’t saved on mobile devices
“I still hear people speaking about cloud deployment as if using this service means you are not saving any enterprise data on mobile devices, and that this might make device data protection a moot point,” said Israel Lifshitz (@nubosoftware), CEO, Nubo. “Apps that are connecting to devices are always caching data, and that cached data is stored on your employees' mobile devices. This data can be breached and hacked and therefore must be protected.”
13: Single tenant systems are more secure than multi-tenant
“Multitenant systems offer two security benefits over single-tenant systems,” said Eric Burns (@panopto), CEO and co-founder, Panopto. “They provide an additional layer of content protection, and they ensure that security patches are always up-to-date.”
While cloud hosted systems provide hardware-based and perimeter security, those who choose a multi-tenant solution, noted Burns, get a third layer of protection called logical content isolation, designed to help prevent inside-perimeter attacks.
“Like tenants in an apartment building who use one key to enter the building and another to enter their individual apartment, multitenant systems uniquely require both perimeter and ‘apartment-level’ security,” explained Burns.
It’s a necessary protection layer for the existence of multi-tenant systems.
In addition, “multitenant systems ensure that software updates, including security patches, are applied to all customers simultaneously,” said Burns. “With single-tenant systems, software vendors are required to update individual customers’ virtual machines.”
14: Multi-tenant systems are more secure than single tenant
There are no absolutes in cloud security. The complete opposite statement regarding cloud tenancy can also be viewed as a myth.