The puzzle of cloud security: the assets vs …



[ad_1]

The problem for people who adopt the cloud is no longer the place where your data is located in AWS, on-premises, Azure, Salesforce or in other areas. The important questions are: who has access to it and how is it protected?

The adoption of the cloud becomes more of a question of when, if not, for most large companies. McAfee estimates that 97% of businesses today use some form of cloud services, with the undeclared assumption, more projects to transition to a cloud infrastructure or similar cloud services in the next few years.

Recent headlines have highlighted many examples of concerns from many security experts: the impact of cyber risks associated with the transfer of data, assets and infrastructure to cloud services, and the heightened threat profile. who is supposed to follow. In a recent study, HyTrust found that the top priority for most IT managers when it comes to cloud adoption is cybersecurity – how to protect data, assets, and infrastructure when their organization no longer controls all of them of technology.

Although there are risks associated with cloud services not present in a traditional on-premise IT environment (virtualization and isolation of cloud tenants, shared network endpoints, third-party trust, etc.) and some traditional risks ( internal threats, the lack of cryptographic protections, session authenticity problems, etc.). Basically, it seems that if we diverted the layers on these recent titles, we see that many of these stories have a consistent underlying theme. In many cases, data exposures were attributable to user-controlled cloud assets and user-defined security controls, and not to risks associated with the cloud infrastructure. or the underlying cloud service.

As Gartner had predicted in a 2016 research report on cloud security, "until 2020, 95% of cloud security failures will be the fault of the customer." If McAfee adds that one in four companies has already experienced data theft affecting their presence in the public cloud, it is imperative that cloud users and cloud users prioritize secure configuration and implementation of cloud aspects. that they can control. If not, they become yet another statistic.

While many security vulnerabilities in the cloud can be attributed to some form of user error, how can cloud adopters take charge of their own cloud security to take advantage of the scale, efficiency and flexibility of cloud solutions? Many industry observers point to these five recommendations when discussing cyber security in the cloud:

  • Moving to DevOps or DevSecOps operating models for software development and cloud environment operation
  • Automate security and configuration tools to adapt to the dynamic nature of cloud environments
  • Use security and compliance monitoring tools to check the security status of the cloud environment
  • Intensive use of cryptographic technologies to verify authenticity, the chain of trust
  • Appropriate obfuscation of data in transmission and at rest

What many of these recommendations do not like is that organizations must undergo even more fundamental change in their security. thinking when you work in the cloud. Companies are notoriously losing control over parts of their IT security model when they lose control of the underlying IT assets as part of their migration to the cloud. However, many companies still do not like the fact that the move to the cloud completely evokes the idea of ​​ownership and control of assets, not just for data, assets, and infrastructure migrated to the cloud, but also for their internal organization.

This of course does not mean that companies should no longer prioritize physical and logical control and resource management for an on-site IT infrastructure. Instead, they need to anchor their security strategy to something other than asset control = security and focus on the data. While this seems obvious, it's amazing to me how many adopters in the cloud are failing to appreciate the implications of this shift in thinking. The question is no longer whether my assets are in Amazon Web Services, on premise, in Azure, in Salesforce, or in other domains. The question is, how is my data secure?

Given that cloud adoption – both "major application" migrations to infrastructure providers as a service and the replacement of on-premise applications with SaaS solutions – offers as many different data possibilities a security limit definition The traditional first step of security management is quickly becoming unfeasible, incomplete, and potentially inaccurate, especially when cloud adoption trends continue within an organization and the number and the complexity of deployments in the cloud is growing.

By focusing instead on the data that the organization cares about rather than the assets and infrastructure in place to support that data, a company can migrate to a cloud security model just as, if not more, than the models. Traditional security asset management as part of a security limit definition. By focusing on the data – where they are, who has access to it, and how it is protected – organizations can more easily prioritize cloud security spending, sort out third-party dependencies that do not directly address the data posture data, and accurately manage the cybersecurity risk responses that appear in the brave new world that is the "cloud".

Related content:

Black Hat Europe returns to London from December 3 to 6, 2018, with hands-on technical training, state-of-the-art briefings, Arsenal open source tool demonstrations, leading security solutions, and vendors. services in the Business Hall. Click for conference information and to register.

Andrew Williams is the Product Manager for FedRAMP's cyber risk advisory and valuation teams at Coalfire. As Product Manager, Andrew oversees Coalfire's sales, delivery and professional development strategy for all consulting and evaluation staff.

More ideas

[ad_2]
Source link