By Lionel Snell,Editor, NetEvents
At a recent NetEvents EMEA Press Spotlight the question was raised about security in the cloud, and where does final responsibility lie? Analyst Rik Turner from Ovum was surprised how many people were not aware of the “Shared Responsibility Model” summarising three different ways of consuming cloud services – Infrastructure as a Service (IaaS), Platform as a Service (PaaS) and Software as a Service (SaaS) – and the relative responsibilities of the customer and the cloud supplier – see diagram.
In IaaS for example: Amazon Web Services (AWS) take care of all the grey bits, from Virtualization down to Networking. But above that it’s the customers’ responsibility. “You are not going to get any money back from them if you are breached because you didn’t secure those layers above” said Rik Turner. Similarly, for PaaS you are responsible for security in the top two layers. “If anything goes wrong with any of that, AWS would have to refund some money, or whatever”.
The shared security model is clearly very important for any enterprise migrating to the cloud: the enterprise will have to take care of security in all the red bits. So these are the very parts provided for by security vendors to the enterprise.
The joy, and the temptation, of SaaS is that it is so easy to buy without IT even needing to be involved. Hence the threat of shadow IT, and the rise of Cloud Access Security Brokers (CASB) as the initial response. Since then the CASBs have mostly been acquired by larger security companies with broader portfolios.
IaaS and PaaS are more complicated for the enterprise, because the customer has broader responsibility and there is more use of Containers, Microservices, or Serverless services – each with their own format. It’s a progression: VMs remove the dependence on physical servers; containers spare the spinning up of new VMs, and Serverless means you can forget these and just specify the functions to be supported – with a 70-80 percent saving in infrastructure costs.
As a consequence, we are hearing more about Cloud Workload Protection Platforms – blocking and remediating attacks, and restarting the workload somewhere else – and Cloud Security Posture Management (CSPM), which is essentially a compliance function. It’s so easy now to spin up a Virtual Machine (VM) so CSPM monitors and manages the spread of VMs to ensure compliance with company policies.
According to Turner these two worlds should ultimately converge, because CSPM is starting to move in the direction of remediation, rather than simply alerting: “It gets a little bit more difficult with containers, in as much as you are starting to see smaller packages of code. Things become more ephemeral with Serverless: “the life of a piece of code that’s running in a serverless environment may be a matter of milliseconds. How do I secure that?” His suggestion is that we are moving towards a DevSecOps world, where the developers become responsible for embedding the security: “not a traditional developer concern”.
Some people who struggle with security use the cloud as a fall-back. That was the opinion of Jan Guldentops, Director, BA Test Labs: “We’re going to outsource to the cloud as it’s all secure and all the problems are gone. That’s the first misconception I see all the time. We are going to the cloud just to be able to secure”. Is that really so? Others, like Peter Galvin, Chief Strategy and Marketing Officer, nCipher Security, disagree and say the main cloud driver is not security, but agility and reducing spending on data centers. The real problem is companies migrating ASAP to a fast-evolving cloud without upgrading their thinking: what used to be best practice is now actually wrong.
A recent Verizon Data Breach Investigation Report reported a doubling of the number of nation-state level attacks against small businesses in a world where every single cloud connected device is now a potentially vulnerable endpoint. So Aaron Turner, CEO & Co-Founder, Hotshot Technologies, suggested a need to rethink the risks to the perimeter: “how’s the average small business going to defend themselves against a nation-state adversary?” Hence his company’s emphasis on: “a new solution that helps those least sophisticated people protect themselves from the most sophisticated adversaries”.
Perhaps it is necessary to think less about trust and more about verification? Philip Griffiths, Head of EMEA Partnerships, NetFoundry gave the example of ‘a three-letter government agency” his company work with, and their very severe verification standards: “To access applications on the cloud, they have to show five points of trust. They have to have a client on their laptop, they enter a password onto that laptop, they are wearing a watch with unspoofable hardware, they put their thumb on that watch to give biometric proof of trust and that watch also measures their EKG, so it can’t all be done under duress.”
How secure is that? Guldentops reminded us: “If the prize on the end of the hack is big enough – somebody will come up with something”. Griffiths hit back with: “If you’re harder and more expensive to hack, people find another victim. It’s about having better shoes to run faster than other people when the bear comes along.”
That may be true, but for many people the point of IT is to enable business and make it easier. Complications on that scale could drive us back to pencil and paper except that Griffiths followed up with a very different counter-example: “But at the other end of the scale, you can literally go on to our website, download a couple of endpoints, deploy into your cloud and, in five minutes, create a network. One of our customers connected seven AWS data centres in two hours the other day, while doing another job that implements multiple layers of security by design. So that you take away many of these threat vectors such as DDos, man-in-the-middle et cetera”.
Another company that focuses on providing good security for less sophisticated users is Hotshot Technologies. Aaron Turner, the company’s CEO and Founder claimed: “We try to make it so that a family or a small business can deploy nation-state level protections in 30 seconds or less… so easy to use and so intuitive that you get that protection built in”.
One counter argument says that, however well thought out the security solution, it is only as good as the way it is applied: “The problem is when it gets to the customer, they often make a mockery of what you’re trying to do by adding bells and whistles. Like having a beautiful car designed for minimum wind resistance, and people put a roof rack on it.”
Atchison Frazer, Versa Networks’ Worldwide Head of Marketing, sees this as a key argument for more automation: “Capital One has a thousand sites. They use digital labour delivered by Versa. It’s all automated. We have the NSS labs, we’re the only SD-WAN vendor that scored in the top vector of NSS labs rating. At some point, you have to automate as many of these functions as you can, be able to reprogram as needed and set those policies and have complete visibility on-premise through the cloud and back.”
But even with automation we cannot get away from the reality of human error or malicious intent, according to Jan Guldentops: “People will stay stupid… It’s a brave new world and we’ll have to learn to live with it”.
That may not be the best mental approach when planning security strategy, but as a warning, it should never be forgotten.