Ad-hoc cloud security failing cloud needs but solution over a year away

The cloud computing industry is improving its security story – long based on installing intermediary encryption gateways – but is still more than a year away from having “ubiquity in terms of security controls”, a Symantec security expert has warned.

Much of cloud vendors' effort to date had focused on introducing better APIs to ensure smoother verification of user authentication information and encryption of files. However, Symantec senior principal systems engineer Nick Savvides told CSO Australia, such efforts had done little to facilitate the movement of user authentication credentials and encryption keys throughout the ecosystem.

“I might have all the security at the back half of the network but if I still have to use username and password logins, it's still just a user name and password,” he explained. “I've put all the security on the back side of my cloud service, and am protecting it with the weakest form of authentication.”

The issue had persisted because cloud architectures and enterprise architectures weren't generally designed to share authentication information and facilitate encryption – creating a gap between the two that compromised many of the smooth transitions necessary for strong data-security measures to be reliably extended to cloud services.

Gateway-based solutions had provided stopgap measures but the idiosyncrasies of such solutions continued to hold back the broad interoperability necessary for cloud security and encryption to become truly vendor independent.

“The problem is that if you have a dependency on the gateway encrypting data in such a way that it can still be manipulated on the inside, encrypting it can break a lot of that functionality,” Savvides explained.

The solution lay in standards-based authentication efforts from the likes of the Cloud Security Alliance, with cloud and enterprise vendors formalising the management of encryption keys using APIs.

“That is the next big thing that will happen in cloud security over the next 12 months,” Savvides said. “We will see APIs for cloud applications to support third-party encryption of the data at rest. The technology around cloud orchestration needs to become a bit more mainstream.”

Despite improvements in the securing of some kinds of workloads, however, the industry was still “12 to 24 months away from having ubiquity in terms of its security controls,” he warned – particularly in government and other complex industry sectors.

The long timeframe came because intermittent progress towards a more coherent cloud-security platform reflected broader issues in making the transition to the new model, which had enabled powerful new methods of application delivery but continued to frustrate efforts to integrate those capabilities with existing legacy systems.

“There is now a sense that people need to provide services to employees and customers at a much faster pace, which has really challenged some of the traditional IT security policy,” he said, noting that adapting those policies had generally been done on a case-by-case basis.

In large environments such as government agencies, this had posed serious problems. “Traditional IT security policy for governments has been fairly incompatible with the cloud,” Savvides added. “The whole mentality was never built with the concept of having third parties doing things for you in remote data centres.”

“Each time the next workload comes along, you have to redesign all your controls,” he continued. “You're designing controls for every workload that comes out – and you're bringing in cloud services selectively but then adding a layer of complexity and management.”

“You're essentially having to go through a reinvention of your security controls every time you adopt a cloud service.”

This article is brought to you by Enex TestLab, content directors for CSO Australia.

Join the CSO newsletter!

Error: Please check your email address.

Tags employeesdirectors for CSO Australiacloud-securitycloud vendorsgovernment agenciesCSOAPIscloud computingNick SavvidesCSO AustraliaEnex TestLabSymantec securityAd-hoc cloudcustomers

More about CSOEnex TestLabGatewaySymantec

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Braue

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts