Ominous clouds

Once upon a time, you knew who to fire when a hack took down your servers: The “little weenies” running around in the basement of your company, as AlienVault’s Russell Spitler put it.

But that’s all changing.

Cloud technology is ubiquitous. How many of you just checked Google Docs or put a photo in Dropbox? How many of you looked up a customer on Salesforce or answered a service ticket on Zendesk? I’m writing this article in WordPress, a veritable platform as a service. If your business depends on these kinds of cloud services, you’re in a scary world, my friend — a world where your company depends on servers you don’t control, with security policies you may not know, run by “weenies” you have no authority over.

After talking to several security execs about the issue, my sense is that one of the biggest fears about the cloud is simply not being able to see inside of it. It’s like an actual cloud, thick and opaque. You’re standing on one side, and the cloud service providers are standing on the other. As a chief technology officer, you can only hope that the provider is building good defenses on their end, because you aren’t in control of anything and you’ll only see your attacker when it’s too late: after they’ve come through the cloud.

We’ll be discussing how to be proactive in these situations — along with many other cloud security issues — at VentureBeat’s upcoming CloudBeat conference, November 28-29, in Redwood Shores, Calif. In the meantime, check out what keeps these security experts up at night:

Andrew Wild QualysAndrew Wild, chief security officer, Qualys

My biggest concern for companies using cloud service providers (CSPs) is that the CSP may not provide the customer with the proper level of detail needed to ensure the ongoing effectiveness of the CSP’s security controls.

In an enterprise environment, event logs should be available from the devices that enforce the security controls, such as switches, routers, firewalls, systems, and applications. In the cloud, the CSP is responsible for implementing and managing some or all of these devices, depending on the cloud service model (infrastructure as a service, platform as a service, software as a service). Enterprises may or may not have access to events from these systems.

Without event log information, it is very difficult to implement “continuous monitoring,” which is a key component of an organization’s ability to proactively detect security events and intrusions, leaving the cloud service user vulnerable to an undetected attack.

Rafal Los HPRafal Los, senior security strategist, HP Software

What keeps me up at night, and [what concerns me] in my daily conversations with customers, isn’t the next big hack or threat. It’s that organizations out there are adopting cloud technologies without fully understanding the various cloud models.

Rather than wading into the pool feet-first, they’re going head-first, and [they’re] finding out the hard way what security, scalability, and legal or compliance challenges they’ll face often in the heat of an issue. Technology certainly helps but doesn’t solve the entire problem. Education is critical.

Russell Spitler AlienVaultRussell Spitler, vice president of product management, AlienVault

The top security issue in the cloud is accountability.

When an incident occurs in your own data center, there are plenty of people to blame and subsequently fire. What’s causing such concern about the migration to cloud-based services is that the person who makes the decision to move to the cloud is now the one who gets fired after an incident occurs. Many people have taken the plunge and accepted this risk, assuming that if the could service provider is ‘that big’, they must be secure.

What we are faced with is not new technology: Virtualization and geographically disparate networks have long been a concern. What is new is that the economic stakeholder can no longer place the responsibility for security on the technical weenie scurrying around the bowels of the data center. That stakeholder must now confront the question, ‘What is it that I need to know in order to feel secure?’

The data needed to answer the question is the same as it has always been: You need visibility. You need to know what assets you have, what data is being stored, what are the latest threats, who is attacking you, and, ultimately, if you need to worry.

Placing your trust in a cloud service provider now means that you are putting these concerns in their hands. Some might transfer that concern and walk away. Others, the ones worried about the eventuality of a breach, require visibility into the infrastructure running their cloud services. Even with the largest providers, we have yet to see responsible disclosure of this information.

Gur Shatz IncapsulaGur Shatz, chief executive officer, Incapsula

Today, my greatest concern is that while critical infrastructure gets pushed to the cloud, there is no sure way of protecting the desktops and mobile devices accessing it.

This should be a great concern to chief information officers and chief technology officers. With the inherent risk that employees’ computers and devices introduce, a strong barrier is needed to protect the production environment. After all, this is where customer information is stored and critical business processes take place.

At the very minimum we need to make sure that access to the environment should be limited to specific sources and behind at least two factors of authentication; that access should always be personal; that we have no more generic users such as “administrator” or “root”; and that access is monitored, with a full audit trail of who went where.

Ashar Aziz FireEyeAshar Aziz, chief executive officer and chief technology officer, FireEye

One of the most disconcerting aspects of moving into the cloud is the limited security visibility and (un-)timely incident response offered by cloud vendors.

Whereas before, CIOs and CISOs could put measures in place to detect and stop advanced cyber attacks against their own network, now they may not hear about a data breach until the cloud vendor is mandated to disclose the incident. Organizations cannot just assume and trust that their cloud vendors have adequate security. They really have to demand and verify that advanced threat protections are deployed before moving their valuable data into the cloud vendor’s network.

The most common security pitfall is not addressing the IT security risks in your own network first. In fact, our research shows that over 95 percent of enterprises have advanced malware in their network, which means that cyber criminals and nation-state advanced persistent threat attackers will just utilize this avenue to penetrate the cloud infrastructure of that organization.

The easiest way to break into the cloud is by compromising an end-user system with a zero-day attack or a spear phishing email exploiting an OS, application, or browser plug-in vulnerability.

Jim Fenton OneIDJim Fenton, chief security officer, OneID

Losing complete control over your domain by moving services to the cloud is what keeps you up at night.

Critical services need to be protected anyway, and the guiding principle of defense-in-depth that we live by means having multiple ways to protect these services. And one of the most reliable ways has typically been in the ways we rule our topology.

When that goes away as a result of migration to the cloud, it just creates a really uncomfortable feeling.

David Mortman enStrausDavid Mortman, chief security architect, enStratus

What keeps me up at night with regard to cloud security? Mostly it’s the fear that people aren’t going to apply the lessons we’ve learned over the last 20 to 30 years about how to have disciplined operations and security.

While it’s true to a large extent that cloud isn’t that different than working with bare metal, there are some key fundamental differences that can be used to make things more efficient and more secure. But if we don’t apply those lessons, then all we’re doing is exacerbating the problems we already have to the nth degree. The very benefits of the cloud — speed and elasticity — will cause already fragile systems to become even more brittle and completely obviate any additional value.

On the other hand, if we can properly apply all of that knowledge we’ve gained, the cloud’s speed, elasticity, and ability to automate will make systems more stable, more secure, and easier to manage.

Cloud image via Shutterstock