Cloud Security

5ekurity

For those who have organizations focused on cloud technologies, I am wondering what some of the hurdles / risks / security implications you have had to face or deal with. Does anyone have comments / opinions on Windows Azure in an enterprise environment?

NightShade03

Might want to get a coffee because this will certainly be a response of epic proportion...

Many organizations today are facing challenges because they assume that they can simply just "go to the cloud". Hey we have this great application that's only five years old. Why don't we spin up some EC2 instances and just migrate to the AWS environment? WRONG! The cloud doesn't work this way and for many people the education behind why it doesn't work this way is the biggest challenge. As a cloud architect, I can honestly tell you I spend 70% of my time educating people and stakeholders vs doing deployments or migrations.

The cloud requires you/orgs to understand scalability, security, horizontal scaling, business continuity, security, tiered architectures, and did I say security? Almost all enterprise applications were not designed to be scalable and that causes huge problems when the load increases on those applications. The cloud addresses this problem directly, but will require you to re-architect your application into a tiered model. Ok so I've re-engineered my app...now what? Well the architecture isn't the only concern. How are you handling things like data security, data lifecycle mgmt, encryption, compliance, access and authorization? Many of these things are an after thought for traditional orgs because they have firewalls and IPS/IDS devices protecting everything within the corporate walls. That doesn't happen in the cloud. Anything you put out there should be considered a public asset and publicly accessible. Want to deploy a proxy, DLP solution, and a SIEM to handle all of your security needs? Not going to happen as these types of traditional tools don't exist within the cloud.

Common challenges outside of education today are really focused on the "shadow IT" problem and cloud management. For Shadow IT it's all about understanding what assets you have out in the cloud and what cloud resources your internal users leveraging. Do you have a usage policies for social media? What about things like cloud storage (Dropbox, Box, Google Drive, etc)? My favorite example is a large bank that was paying for a salesforce license for every single user within the org and when they used some cloud visibility tools to understand SF usage vs demand they realized only 33% of those licenses were actually being used. They scaled back and saved themselves $6 million per year! Many different departments are doing their own things and testing out different platforms. That's cool and it helps when IT departments are already overwhelmed, but you still need visibility into what is going on with the organization as a whole.

The second issue stems from lack of management tools. Yes AWS and Azure have these amazing dashboards/consoles that you can log into and do different tasks. However what happens when you have assets within both of those public clouds and a research department that has a private cloud via OpenStack deployed on prem? How are you going to manage all of those tools together? There are very few resources in the world today that address this and it's mostly because cloud platforms are evolving so faster that it's impossible to keep up with them all.

At the end of the day cloud security boils down to a few points:

- Educating everyone on how the cloud is different
- Re-architecting applications for usability, scalability, and security
- Compliance & Data security
- Agile (can you automate deployments and rebuild whole environments quickly?)
- Choosing the right model for the right problem

Azure and AWS are both amazing platforms, but aren't always the best options if your requirements don't warrent either platform (IaaS vs. PaaS).

If you have any other questions/comments I'm more then happy to discuss further

5ekurity

Very helpful, thanks for the post! Some of the things I am focusing on heavily are related to the security piece and understanding the threats / risks to information in the cloud, how the data is secured, and what can be done to better protect the data (if anything).

Some of the things that concern me off the bat is exactly what you said - overall lack of insight as to who is accessing what and when, the whole 'prevention is ideal, but detection is a must' ideology (i.e. how do you detect abuse / security incidents), and managing the data once it is in the cloud.

From a contract perspective, what expectation should an organization have from a cloud provider as it pertains to security incidents, detected/prevented or otherwise? What happens when it comes time to dispose of data; how can we be sure it isn't backed up somewhere within our cloud provider? What are some of the main security concerns you commonly see/face?

darkerosxx

I think the point of what he was saying is assume your data is available to the public, so assume people have backups of it, but I wouldn't expect any help from a cloud provider with a security incident. Your security is generally your responsibility, unless you're paying for a managed security product. That's why I think so many security related roles ha e opened up recently.

Also, I can speak to education being the majority of any new cloud initiative. Like any new technology, people want to take advantage of it and will pay people to make it understandable and usable. Take advantage of that.