Back in 2011, while reporting at the annual information security RSA Conference held in San Francisco, I asked attendees, “What’s the most over-hyped issue in security?”
Universally everyone responded, “The cloud.”
The cloud might have been hype four years ago, though today it’s a necessary business driver. Unfortunately, confusion on its effective use has given rise to a series of industry myths, often imbuing fear in many CIOs.
What are the cloud security myths that keep circulating and what are their realities? Here’s what industry experts had to say:
1: The cloud is inherently insecure
“The biggest myth, which refuses to die, is that your data is not safe in the cloud,” argued Orlando Scott-Cowley (@orlando_sc), cyber-security specialist, Mimecast. “We’re still dealing with the legions of server huggers who claim their data is safer on their own networks, where they can feel the cold embrace of the tin of their servers and watch the small blinking lights in their server rooms.”
“There is a natural perception to believe that things outside of my control are innately less secure,” said Tim McKellips (@Mckellip), manager of technical services, Softchoice. “I think cloud providers like Microsoft are taking Herculean efforts to secure their environments in a way the average client could never do.”
Dozens of experts brought up this persistent myth, arguing that compared to your organization, cloud providers have greater expertise and more technical staff.
“Cloud companies are beginning to spend at a scale of great magnitude that cannot be matched by a single organization,” said Brennan Burkhart (@LiquidHub), partner, global salesforce practice lead, LiquidHub.
“Cloud providers live, eat, and breathe network security while most other organizations don’t usually list it as one of their core competencies,” continued Leo Reiter (@virtualleo), CTO, Nimbix.
“Cloud computing boosts your security in a way that you will never be able to afford. This is because of the economies of scale,” continued Ian Apperley (@ianapperley), writer and IT consultant, whatisitwellington.
2: The cloud security debate is simple
“The biggest myth is that the [cloud security] question is even that simple,” argued Scott Feuless (@ISG_News), principal consultant, ISG.
“The cloud is less secure” argument discounts the many variables that go into making the cloud deployment decision, such as your organization’s size, existing in-house expertise, who your adversaries are, whether you need to do penetration testing for each deployment, and your organization’s need to scale.
The cloud doesn’t need to be seen as a binary decision. “It’s not a ‘yes or no’ or ‘allow or block’world,” said Sanjay Beri (@netskope), CEO and founder, Netskope. “There are now tools and capabilities that allow IT to enable cloud securely in any number of environments specific to unique requirements’ needs thanks to the ubiquitous nature of APIs.”
3: There are more breaches in the cloud
Once again, this myth simplifies a very complicated issue. According to the Spring 2014 Alert Logic Cloud Security Report, both on-premise and cloud hosting providers (CHP) saw a dramatic increase in vulnerability scans from 2012 to 2013, with CHP having a slightly greater increase. But depending on the type of attack, such as malware and botnets, on-premise was far more susceptible.
“Internet threats are just as much of a risk for private cloud infrastructures and service provider networks,” said Jason Dover (@jaysdover), director of product line management, KEMP Technologies.
“When the correct security policies for preventing attacks and detecting them are implemented, attacks are no more threatening to the cloud than any other piece of infrastructure,” said Alastair Mitchell (@alimitchell), president and co-founder, Huddle.
“Public cloud vendors typically employ a strong team of security specialists and they also have the economies of scale to acquire cutting edge security appliances,” noted Torsten Volk (@TorstenVolk), vice president of product management, cloud, ASG Software Solutions. “Their reputation rides on it.”
4: Physical control of data implies security
“The biggest myth about cloud security is that control is the foundation of security, or lack of security,” said Praveen Rangnath (@splunk), director of Splunk Cloud, Splunk. “The foundation is visibility.”
“The various high profile security breaches over the past few months have served to highlight that the physical location of the data matters less than the access and associated controls,” added NaviSite’s general manager, Sumeet Sabharwal (@sabhas).
Believing in the data location myth diverts focus from the more common attack vectors, such as exploiting human social weaknesses and malware, said David Cope (@DavidJamesCope), executive VP of corporate developer, CliQr, who cited Verizon’s 2014 Data Breach Investigations Report as evidence of this trending security threat.
5: Cloud security is far too difficult to maintain
“The top myth we come across about security is that security in the cloud is more difficult to maintain than on-premise,” said Aater Suleman (@FutureChips), CEO, Flux7.
“Ultimately, a ‘cloud’ is just someone else’s network,” noted Corey Nachreiner (@watchguardtech), director of security strategy and research, WatchGuard.
“Believing in this myth leads to companies either compromising security in the name of business requirements or refraining from using the cloud for mission critical applications,” continued Suleman.
The security issues are similar, noted Denny Cherry (@mrdenny), owner & principal consultant, Denny Cherry & Associates Consulting, “SQL injection (the biggest security risk to systems) is still a problem in the cloud and is addressed in exactly the same way as on premise. Firewall configurations, penetration testing, VPNs, etc. are all just as important when working with a cloud provider as they are when working on premise.”
6: You can build a perimeter around cloud applications
“With apps strewn across the internet, if a corporation thinks they can build one perimeter around all their apps, then they are nuts,” said Patrick Kerpan (@pjktech), CEO and co-founder, Cohesive Networks.
“People still think in terms network-based security, even when it comes to the cloud,” added Asaf Cidon (@asafcidon), CEO and co-founder, Sookasa. “They’re still trying to protect their network from the cloud with reverse proxies and firewalls.”
“Security should extend down to each individual enterprise application,” Kerpan continued.
“Multiple layers are needed to combat hackers. There isn’t a single silver bullet,” agreed Greg Rayburn (@FlukeNetENT), security analyst, Fluke Networks.
“Boundaries that are extended with cloud and boundaries are already broken with mobile and IoT,” said Tim Cuny (@OptimizewithCMI), VP of solutions, CMI. “Remove the old thinking of protecting perimeter boundaries and concentrate on a comprehensive risk management program that focuses on protecting assets from a people, process, and technology perspective.”
7: I’m not using the cloud so I’ve got better protection
Even though many might try to fool themselves into believing they’re not using the cloud, we’re all online and susceptible to many of the same threats.
“If your systems are connected to the Internet, then you are already on the cloud,” argued Peter Landau (@harmony_notes), president, Harmony Technologies.
“The biggest security threat is connecting anything (laptops, etc.) to the public internet or deploying any software to the public internet,” added Dave Nielsen (@davenielsen), co-founder, CloudCamp.
8: Shadow IT can be stopped
“The security implications of employees procuring their own cloud services cannot be avoided,” said Sarah Lahav (@sysaid), CEO, SysAid Technologies.
Still, while IT can’t control the consumerization of IT, they are still the ones to blame for any technical issues.
“When business users suffer from poor application performance, including those with SaaS applications, IT is on the hook to resolve problems even though IT may not have anything to do with the infrastructure being used,” said Bruce Kosbab (@BruceKosbab), CTO, Fluke Networks. “To avoid this situation IT and the business must work together.”
“A fully representative cross-section of management, including the CEO, must be responsible for the design, deployment, and maintenance of cloud security policy and implementation,” added Steve Prentice (@stevenprentice), senior writer, CloudTweaks.
9: Cloud security is solely the cloud provider’s responsibility
“A common misconception is that the cloud provider automatically looks after all the security needs of the customer’s data and process while in the cloud,” said Jeff M. Spivey (@spiveyjms), VP of strategy, RiskIQ.
“Just being provided the tools to create, implement, and enforce security measures for cloud workflows does not inherently defer the business risk associated with an increased level of attack or compromise,” said Scott Maurice (@scottjmaurice), managing partner, Avail Partners.
“Password policies, release management for software patches, management of user roles, security training of staff, and data management policies are all responsibilities of the customers and at least as critical as the security being done by the public cloud provider,” added ASG’s Volk.
While you’re hardening internal security, don’t assume that your cloud provider backs up your data and will be able to restore it in case of a security breach.
“It is instrumental and critical that you implement a backup solution that backs up your data that is hosted on the cloud to an onsite backup or to another cloud provider,” said Bruno Scap (@MaseratiGTSport), president, Galeas Consulting. “In addition, in case of a security breach, you may need to restore your data from backups that you know are clean.”
10: You don’t need to manage the cloud
“Many believe that since the cloud infrastructure is often basically just a managed service, that the security of the services is also managed,” said Michael Weiss (@Oildex), VP, software engineering, Oildex. “Many cloud based systems are left inadvertently unsecured because the customer does not know that they need to do something to secure them, as they assume that the provider has done what an in-house security staff would traditionally have done by default.”
“Cloud security requires the same discipline for security of any data center,” said David Eichorn (@Zensar), associate VP and cloud expert with Zensar Technologies. “Cloud data centers are as resilient as any, but the weakness comes if the policies, processes and tools aren’t regularly monitored by the IT operations staff responsible.”
“Understand where that line is drawn. Who is responsible for what,” said Adrian Sanabria (@sawaba), senior analyst, enterprise security practice, 451 Research. “Generally, everything on the cloud provider’s network and in their data centers is covered at a low level. However, everything above the hardware layer and lower network layers is the customer’s responsibility.”
11: You can ignore BYOD and be more secure
“Not supporting and implementing a BYOD policy does not mean an enterprise will be less at risk of a data breach,” noted John Zanni (@jzanni_hosting), SVP of cloud and hosting sales, Acronis. “The BYOD movement is here to stay.”
Zanni recommends deploying a mobile content management (MCM) solution, as protecting the data will be what ultimately defines your business’ security and compliance requirements.
12: Cloud data isn’t saved on mobile devices
“I still hear people speaking about cloud deployment as if using this service means you are not saving any enterprise data on mobile devices, and that this might make device data protection a moot point,” said Israel Lifshitz (@nubosoftware), CEO, Nubo. “Apps that are connecting to devices are always caching data, and that cached data is stored on your employees’ mobile devices. This data can be breached and hacked and therefore must be protected.”
13: Single tenant systems are more secure than multi-tenant
“Multitenant systems offer two security benefits over single-tenant systems,” said Eric Burns (@panopto), CEO and co-founder, Panopto. “They provide an additional layer of content protection, and they ensure that security patches are always up-to-date.”
While cloud hosted systems provide hardware-based and perimeter security, those who choose a multi-tenant solution, noted Burns, get a third layer of protection called logical content isolation, designed to help prevent inside-perimeter attacks.
“Like tenants in an apartment building who use one key to enter the building and another to enter their individual apartment, multitenant systems uniquely require both perimeter and ‘apartment-level’ security,” explained Burns.
It’s a necessary protection layer for the existence of multi-tenant systems.
“Multitenant services secure all assets at all times, since those within the main perimeter are all different clients,” said John Rymer (@johnrrymer), VP, principal analyst, Forrester Research.
In addition, “multitenant systems ensure that software updates, including security patches, are applied to all customers simultaneously,” said Burns. “With single-tenant systems, software vendors are required to update individual customers’ virtual machines.”
14: Multi-tenant systems are more secure than single tenant
There are no absolutes in cloud security. The complete opposite statement regarding cloud tenancy can also be viewed as a myth.
For some organizations, forced upgrades and maintenance windows, which happen in a multi-tenancy environment, could be a detriment.
“Make sure your change management requirements can be accommodated and that you will have time to plan for upgrades, which can often be an issue with multi-tenancy systems,” said Boatner Blankenstein (@Bomgar), senior director, solutions engineering, Bomgar. “Single tenancy adds flexibility for scheduling downtime without affecting others.”
15: You own all your data in the cloud
“Your data may not always be yours after you’ve uploaded it. And if it is hosted in another country, you could be looking at cross border jurisdictional headaches,” warned Joe Kelly (@legalworkspace), CEO, Legal Workspace. “Many sites retain the right to determine whether data is offensive or violates copyright or IP laws. Other sites will sell ads based on your content – which means your information may not be as private as you think it is.”
16: Cloud provider will continuously manage certifications and compliance
“Many cloud providers oversimplify the security posture of their platform and steer the conversation toward compliance and certifications awarded by third parties,” explained Sean Jennings (@VCDX17), co-founder and SVP of solutions architecture, Virtustream. “Security certifications are point-in-time snapshots of the cloud platform and supporting processes… It is entirely possible for results to be outdated before the ink is dry on a certificate.”
“Focus should not necessarily be in implementation [of compliance policies] but rather auditing and reporting to satisfy compliance,” said Dan Chow (@ExpertIncluded), COO, Silicon Mechanics. “If regulations change knowing where the gaps are will be important to stay up-to-date and assure that a business is compliant and conforms to the latest standards.”
17: Cloud security is a product or service
“Security is not a product or a service, it is a process,” said Galeas Consulting’s Scap. “Segment your networks based on the purpose of a particular application or service, deploy firewalls, monitor logs, system and network activity, create and follow security procedures and policies, decide who has access to data, and have a plan to follow in case of a security breach.”
18: A cloud server has unlimited resources
It may appear that your cloud server has unlimited memory and processing power, but consuming more than you need can lead to performance issues and dramatic price increases.
“Cloud servers have processor, memory and I/O limitations, normally defined when the request is made. These resources are shared with the rest of the cloud environment and are moved between the cloud servers as needed,” explained Abdul Jaludi (@tagmcllc), president, TAG-MC. “A cloud server will use whatever it needs, up to the configured amount and nothing more. In many shops, users are allowed to exceed their allotted resources at a much higher cost, much like the way mobile phone plans work.”
19: There’s no way to check what third party providers are really doing with your data
“‘Malicious insiders’ is one of the most interesting and under-represented issues when people discuss public cloud security,” said Yuri Sagalov (@yuris), CEO and co-founder, AeroFS. “By outsourcing your storage and compute to third party vendors, you now need to trust not only your own employees, but also the employees of the vendor you’re using to store and process the data.”
“Some cloud providers mine enterprise data in ways that one might not want or that might invade the privacy of employees in ways that can or should not be allowed,” added Nicko van Someren (@good_technology), CTO, Good Technology. “Ensure that the cloud provider will be able to furnish the customer with audit logs to identify everyone who might ever have access to corporate data and possibly show that they have had suitable background checks and clearance.”
20: No need to verify big cloud providers
It may seem logical to go with a large provider with huge networks, dispersed worldwide data centers, and enormous industry recognition. It’s easy to trust them right. They’re too big to collapse.
Don’t fall into the “trust-but-don’t-bother-to-verify” situation, advised Adam Stern (@iv_cloudhosting), CEO and founder, Infinitely Virtual, “While their businesses may not fail, yours might. An ill-timed outage or glitch could do some serious damage.”
Stern advises you to fully understand your support relationship with your provider: “When a supposedly secure environment suddenly springs a leak who’s going to listen and who will actually help?”
CONCLUSION: Overcoming the cloud myths will allow you to reduce risk
“When the CIA and the NASDAQ begin deploying workloads to the cloud, the debate about whether the cloud can be secured is over,” argued Avail Partners’ Maurice.
Getting hung up on the myths surrounding the cloud will only prevent your organization from realizing the benefits.
Lauren Nelson (@lauren_e_nelson), senior analyst, Forrester Research, explained, “Public cloud is actually an opportunity to minimize financial risk for a net-new project or investment.”
Part of overcoming your fears of the cloud is knowing what not to do when you make that move. For expert advice on a successful cloud migration read 20 Cloud Deployment Mistakes to Avoid.