Playing the odds – the cloud security gamble

"Securing the future will be very different to what it’s been like security get past and securing the present,” says Joan Pepin, the CSO of Sumo Logic.

Suddenly, parties are becoming responsible for services that they don’t have competency.

Pepin says we to be ready for the future we need to be fix the problems we have security in the present fixed.

As the number of systems and volume of data and traffic has increased exponentially, we’ve stopped doing the right things, as we’re not able to do all the right things.

“If we think back to Alexander the Great, he could look down, over a battlefield from the top of a hill, and see that there was a chariot commander that he wanted to flank to the west. What would he do? He’d pull out his encoder ring - it was a substitution hash, best practices, get a piece of payers, encrypt a message, roll it up, seal it with a wax seal - therefore authenticating that message and making it tamper-proof. He’d hand that to a messenger and send it to the chariot commander”.

At the other end, the chariot commander could authenticate the validity of the message from the seal, decrypt the message using his decoder ring and he’d kill the messenger.

Pepin used this story to highlight that we have known how to deal with sensitive information in hostile, open public spaces for thousands of years but we’re still not doing it right.

What we need to do now is get better at our fundamentals. We need to go back and do them right. We’re not doing basic access controls, monitoring or encryption. We’ve been outscaled, she says.

“That’s because of the limitations of our architecture and the limitations of out environment which come down to limitations in the way we think”.

Most data centres, says Pepin, are little more than giant PC when you look at them. They have limited computing power, storage and memory which means we can’t analyse all of the data moving in, out and between different applications. At best, we can only carry out deep packet inspection, for example, with a sample of all the traffic that is moving.

“We are a slave to this route,” said Pepin. “These are some of the core reasons why we’re seeing some of these media-worthy breaches”.

Pepin says it is possible to build a secure environment in the cloud. But it takes a new approach. When she joined Sumo Logic, Pepin had a secret agenda to convince them to build an old-fashioned collocated data centre architecture as that was what she had done in the past, flying in the face of the company’s “cloud-first” strategy.

But then she realised that the business’ needs would never be properly met with that infrastructure. One of her colleagues mentioned that while a programmer might make a mistake, software code never made a mistake.

“I had this moment. I saw something that I could never un-see. That was that this cloud was really a huge amorphous blob of power that I could warp to my will using code. That everything I wanted to implement… ”I could do that with APIs on AWS in a way I could never do in a data centre”.

Pepin said the environment she has built with her team at Sumo Logic has complete understanding of every packet of data, user action and application operation that is executed. That’s not a subset. Everything is monitored with alerts in place to notify someone when something unusual is detected.

That covers over 6000 servers in three countries with around 50TB of data ingested every day.

“Everything is as secure as anything I’ve seen in my 17, 18 year career in this business. I would put our security up against any government data centre. And we’re doing it all in the cloud”.

Read more: Security Watch: Akamai adds new web application and DDoS protection

Using the analogy of gambling, Pepin likened the old data centre as being the same as a single card table where the operator built the table with a whole in it for hiding cards, marked the cards and ensured they had a friend in the audience protecting her interests.

Although the dealer at this single table has control of almost everything, there is a limit to the scale of the operation.

In contrast, a casino is able to scale by not exerting all of that deep control. In a casino, there are times a slot machine will pay out or a blackjack dealer will cheat.

“But statistics, math, powers of scale are going to ensure you’re going to win at the end of the day, every day”.

The proof of this approach was demonstrated when Sumo Logic went through PCI/DSS Level 1 certification. The typical cost for the effort of attaining this certification, according to Gartner, is around $750,000 with about $120,000 going on the initial scoping phase. Sumo Logic completed the entire process for $60,000.

The fully software-controlled environment meant Pepin and her team were able to collect all of the required data and prove their compliance in just a few hours through the initial discovery.

“This was simply a validation of everything we were already doing’” she said.

The amount of computing power afforded by Platform as a Service providers delvers a scale and degree of flexibility that Pepin says traditional data centres simply can’t match.

Read more: 5 reasons why using a VDC (Virtual Data Centre) can improve your organisations Physical and Logical Security

Anthony Caruana travelled to RSA Conference in San Francisco as a guest of Symantec.

Join the CSO newsletter!

Error: Please check your email address.

Tags RSA Conference 2015PCI/DSSAnthony Caruana#RSACJoan Pepindata centrescloud securityencryptionsumo logicGartner

More about AWSCSOGartnerRSASumoSymantec

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Anthony Caruana

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place