When it comes to Cloud security which is better? Heavy hand or gentle policing?

When it comes to successfully managing Cloud use within the enterprise, some security organizations try to establish and enforce firm lines between what is permissible and what is banned, while others try to learn what their employees are trying to achieve and help them do so more securely.

When it comes to successfully managing Cloud use within the enterprise, some security organisations try to establish and enforce firm lines between what is permissible and what is banned, while others try to learn what their employees are trying to achieve and help them do so more securely.

To get a sense of what enterprises think about Cloud deployments and cloud security, we recently reached out to Jim Reavis, cofounder and chief executive officer at the Cloud Security Alliance. As a nonprofit, the Cloud Security Alliance promotes the use of security assurance best practices in cloud computing, as well as Cloud computing education.

Jim Reavis Cloud Security Alliance

Jim Reavis

Reavis is an information security industry vet and has advised on industry business launches, mergers and acquisitions, and IPOs. Since its founding, the Cloud Security Alliance has launched numerous successful cloud security efforts, including the cloud security provider certification program, the CSA Security, Trust Assurance Registry (STAR), a cloud provider assurance program of self assessment, third party audit and continuous monitoring, and the cloud security user certification the Certificate of Cloud Security Knowledge (CCSK). The Cloud Security Alliance also provides research programs in collaboration with the industry, higher education, and governments in areas of cloud computing, mobile, and Internet of Things.

In your role as president of the Cloud Security Alliance, where do you see the state of enterprise cloud adoption right now?

When it comes to cloud, enterprises are really all in. They're doing a lot more of their mission critical activities in cloud. The security around their cloud implementations is growing as well. Enterprises are getting better at securing their cloud environments and you’re seeing the tier one cloud providers certainly investing in the security of their services. And because of the scale of their services, they can invest in security in ways that enterprises just can’t on their own.

We're also starting to see the impact of the economics and scale when it comes to security investments, and that’s true whether it’s sophisticated intrusion detection, identity management, event monitoring, or whatever: they’re building a level of security in their systems that surpasses what a typical enterprise can do. Their level of investment is why we’re seeing that the bad guys will target cloud users and not try to breach the cloud provider itself directly because they are much more secure.

Enterprises also are learning now how to transition into cloud and to understand the level of security they are getting from cloud providers. Enterprises will always have a role in securing their cloud deployments, whether it's more of the implementation of the technical controls inside private cloud or if it's more due diligence and procurement efforts and looking for the assurance from the providers that they adhere to secure practices.

That's interesting. What do you see the catalysts being to change how enterprises rethink cloud security?

It's human nature to become attached to our servers and systems. Many enterprises have this mentality, and they will even name their servers after pets. And with physical machines, they very much had a defensive posture that prized keeping that system up for years and years. If there was a breach, they would identify it and try to cleanse that system because the cost of taking things down, the cost of downtime, could be severe. That creates entropy and systems just lose a lot of stability.

What I’m seeing some of the enterprise leaders in this area do now, as a result of virtualization, orchestration, and automation tools, is, instead of finding and cleansing malware, they just destroy the virtual machine and launch a new instance that points to the data source. There’s no downtime and no loss of production time doing the forensics. They just basically reimage that virtual machine. They’ll do the forensics later in a different way, and after cleaning up and restarting their infected workloads.

When it comes to companies today that are successful in how they manage cloud in their environment, what are some of the things you see them doing to manage risk and embrace innovation, but in a mature way?

Gentle policing based on very strong knowledge of how their organization is using cloud is very important. This way, they look at what people are trying to accomplish with cloud, and can step in and consult. Gentle policing isn’t meant to inhibit cloud usage as much as help to guide the organization to the more secure options that are available, if users chose an option that wasn’t secure. This ends up being a very good way for enterprises to embrace a mature approach to provide guidance and not just say ‘no’ all of the time.

I also think that organizations are investing more into indicators of compromise as well as into being able to react more quickly when there is a breach. They understand that attack surfaces are becoming vast with the growth of apps and all the mobile endpoints. This creates a need for more agility in reacting to security issues and incidents. They are also investing more in sharing information in their industries, and we are seeing more interest in participating in ISACs or having more of these sorts of relationships to share best practices.

I would imagine that security analytics plays an important role here. Many of the things you just described have a lot of metadata and other data around them, so the need for security data analysis is probably much higher now than five years ago.

That's a really good point. A lot of what I was talking about when it came to investing in incident response included security analytics. A lot of that type of response requires that organizations invest in security analytics. Enterprises can gather all of their different data points across their infrastructure and cloud systems and see that certain data indicators probably increases their confidence level that a breach occurred, and then those data will help them to figure out what to do there.

This is transforming a lot of how we think about securing our systems. There's no doubt about that.

Join the CSO newsletter!

Error: Please check your email address.

Tags appssoftwarecloud computingcyber security

More about AssuranceCSACSOGoogle

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by George V. Hulme

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place