Contrary to popular belief, the cloud is not an inherently insecure environment – it just has a different security model to that which most people are used to. It comes with new responsibilities and new trust relationships that need to be established to properly secure your environment. These environments have the opportunity to be far more secure than even traditional data centers, but they need to be approached in the right way.
Confusion usually starts early when we talk about security in the cloud, because key terms can mean different things to different people. To be absolutely clear, “cloud security” can mean three very different things:
– A SaaS (software as a service) offering that provides a security service
– An offering that helps you monitor SaaS services (note that this has no bearing on its delivery form – SaaS, on premise software or appliance)
– The set of tools/features required to secure an IaaS (infrastructure as a service) environment.
Understanding these three variants of ‘cloud security’ is important to then realise the promise and the risk of your own use of the cloud, says Russell Spitler, vice president, Product Strategy at AlienVault.
The risk we run with the cloud largely depends on the nature of our use. However, since cloud services have proven to be viral in nature most organisations make use of both SaaS as well as IaaS whether or not it is inline with corporate policy. Recent research has shown SaaS offerings being leveraged as points of data ex-filtration and used as command and control (C&C) channels. This integration of SaaS into the methods used by attackers is a sure sign of widespread cloud adoption. This reflects an increased understanding of the nature of IaaS by attackers and increases the responsibility of users to properly monitor and secure such environments.
Even with a current understanding of the risks related to use of IaaS and SaaS we need to remind ourselves of the potential for causalities. Attackers target and leverage these services because that is where our data is stored. An attacker who is targeting us will not simply stop if we are not using the cloud; they will simply leverage other techniques when attacking us. A similar point can be made for broad-based attacks.
If the broad based attacks we face today only targeted cloud environments we might have a case against using such environments. However, at this point the majority of broad-based attacks still target traditional environments. Thus, avoiding the use of the cloud is not an action that will make us inherently more secure. Just as with the adoption of any other technology, we must understand the cost and weigh it against the benefits of use.
When working with cloud providers it is important to establish what responsibilities you retain for security and what is managed by the provider. Dependent on the nature of the service, the line of responsibility shifts. For IaaS providers, the customer is responsible for the operating system up; however, for SaaS providers, the customer is responsible for privileged users. This has a major impact on the security controls we implement to shore up our end of the bargain.
With IaaS providers, we need to start at the OS level and take full advantage of the automation and configuration tools provided. With both IaaS and SaaS providers, we need to take a close eye to the administrative audit logs to monitor privileged user access and ensure appropriate use of the features in the environment. Automated analysis and monitoring of these logs is critical to identify the difference between a devop engineer spinning up a new server and an attacker taking advantage of compromised credentials.
To take advantage of everything the cloud offers requires a careful analysis of the risks. But by taking the time to understand it, and getting to know the policies of your chosen cloud providers, the security potential is limitless. This is a new way of working and requires a new mindset, but taking the time to understand it will reap significant rewards and allow us to move into a new and secure future.
The author of this blog is Russell Spitler, vice president, Product Strategy at AlienVault.
Comment on this article below or via Twitter: @ VanillaPlusMag OR @jcvplus
