[BreachExchange] Why You Should Question These Most Common Cloud Assumptions

Destry Winant destry at riskbasedsecurity.com
Wed Dec 27 14:53:51 EST 2017


http://www.securityweek.com/why-you-should-question-these-most-common-cloud-assumptions

The Approach to Cloud Security Should be No Different From the
Approach to Network or Endpoint Security

The dynamic and automated nature of the cloud brings many benefits to
businesses, from easy setup and delivery of services to predictable
maintenance costs. With users accessing data and collaborating from
anywhere, whether they are in branch offices or working remotely,
cloud-based services and applications have completely transformed how
business is done.

According to survey findings from 451 Research, 3 in 5 (60 percent)
enterprise workloads will run in the cloud by mid-2018, up from 2 in 5
(41 percent) today. However, along with this new era of growth come
certain assumptions about how the cloud operates, and how to secure
it. Every security professional should question these assumptions and,
perhaps more importantly, encourage others throughout their
organizations to question them as well. In doing so, all parties
involved will be doing their part to make sure their organizations –
and the massive amounts of data and intellectual property (IP) the
cloud stores for them – are secure.

Common Cloud Assumptions

1. The Cloud Is All About Quick Application and Service Deployments

The cloud has completely changed how new applications and services are
developed and, in turn, delivered to their customers. Quick
deployments and fast delivery are two assumptions that teams, in most
cases, don’t question when choosing to deploy a cloud-based
application or move data to the cloud. While cloud-based agility can
deliver massive benefits, security must be considered and properly
integrated into the cloud application development lifecycle from the
very beginning to prevent data loss and business disruption. As more
data, sensitive IP and business-critical applications migrate to the
cloud, it is our responsibility as security professionals to instill a
security-first mentality into the organization, such that any
conversation about cloud includes security.

2. The Cloud Is More Secure

Public cloud providers typically offer some form of native security,
which many individuals often assume is enough, but this couldn’t be
further from the truth. In the past, organizations maintained complete
responsibility for the security of their private cloud
infrastructures, but that has entirely changed now with public cloud
and SaaS-based applications.

Now, the enterprise and the infrastructure provider share
responsibility. The security of the data is the organization’s
responsibility, and the security of the infrastructure is handled by
the cloud provider. Within the public cloud, we continue to see data
breaches, which are often the result of improper use,
misconfigurations or advanced threats. Given this, it is important to
remember that the cloud is not inherently more secure; it is equally
as secure as anywhere data is stored. Organizations must approach the
security of their data in a way this is consistent with their overall
security approach – the cloud is no exception to this rule.

3. Cloud Security Is Different From Network or Endpoint Security

Although organizations are responsible for ensuring the security of
their data, regardless of where that data resides, oftentimes cloud
security is still thought of as a different type of security. This
assumption results in deploying different solutions to secure the
cloud, leaving security teams with complicated environments to manage
and products that cannot speak to one another, especially for
organizations with multiple cloud infrastructure providers.

The reality is that, even though the consumption of cloud security
differs from the automation thereof, the approach to cloud security
should be no different from the approach to network or endpoint
security. It’s obviously not possible to put a physical firewall in
the cloud, but security professionals must apply the same rigor to
secure the cloud as they would the network or the endpoint. This rigor
will ensure that organizations are protected against the same threats
across all environments in the most efficient way possible. Put
simply, consistency yields the best results.


More information about the BreachExchange mailing list