The cloud computing industry is improving its security story – long based on installing intermediary encryption gateways – but is still more than a year away from having “ubiquity in terms of security controls”, a Symantec security expert has warned.
Much of cloud vendors' effort to date had focused on introducing better APIs to ensure smoother verification of user authentication information and encryption of files. However, Symantec senior principal systems engineer Nick Savvides told CSO Australia, such efforts had done little to facilitate the movement of user authentication credentials and encryption keys throughout the ecosystem.
“I might have all the security at the back half of the network but if I still have to use username and password logins, it's still just a user name and password,” he explained. “I've put all the security on the back side of my cloud service, and am protecting it with the weakest form of authentication.”
The issue had persisted because cloud architectures and enterprise architectures weren't generally designed to share authentication information and facilitate encryption – creating a gap between the two that compromised many of the smooth transitions necessary for strong data-security measures to be reliably extended to cloud services.
Gateway-based solutions had provided stopgap measures but the idiosyncrasies of such solutions continued to hold back the broad interoperability necessary for cloud security and encryption to become truly vendor independent.
“The problem is that if you have a dependency on the gateway encrypting data in such a way that it can still be manipulated on the inside, encrypting it can break a lot of that functionality,” Savvides explained.
The solution lay in standards-based authentication efforts from the likes of the Cloud Security Alliance, with cloud and enterprise vendors formalising the management of encryption keys using APIs.
“That is the next big thing that will happen in cloud security over the next 12 months,” Savvides said. “We will see APIs for cloud applications to support third-party encryption of the data at rest. The technology around cloud orchestration needs to become a bit more mainstream.”
Despite improvements in the securing of some kinds of workloads, however, the industry was still “12 to 24 months away from having ubiquity in terms of its security controls,” he warned – particularly in government and other complex industry sectors.
The long timeframe came because intermittent progress towards a more coherent cloud-security platform reflected broader issues in making the transition to the new model, which had enabled powerful new methods of application delivery but continued to frustrate efforts to integrate those capabilities with existing legacy systems.
“There is now a sense that people need to provide services to employees and customers at a much faster pace, which has really challenged some of the traditional IT security policy,” he said, noting that adapting those policies had generally been done on a case-by-case basis.
In large environments such as government agencies, this had posed serious problems. “Traditional IT security policy for governments has been fairly incompatible with the cloud,” Savvides added. “The whole mentality was never built with the concept of having third parties doing things for you in remote data centres.”
“Each time the next workload comes along, you have to redesign all your controls,” he continued. “You're designing controls for every workload that comes out – and you're bringing in cloud services selectively but then adding a layer of complexity and management.”
“You're essentially having to go through a reinvention of your security controls every time you adopt a cloud service.”
This article is brought to you by Enex TestLab, content directors for CSO Australia.