Presented by SparkPost
The shift towards cloud computing has fundamentally changed how software is deployed and consumed. It also entails myriad changes to the business of building and delivering software. Questions of application and data security are among the most critical, particularly when considering the transformation of core infrastructure such as email delivery into a cloud-native service.
When my own company, SparkPost, embarked on its cloud transformation, the security of our infrastructure was a paramount concern that informed nearly every technology and business decision our team made. Just as importantly, we knew that it was essential that our customers could be confident entrusting the integrity of their data and their brands to our service.
In this article, I will share some of the analysis that drives our approach to cloud security, and what we learned during our transformation to a cloud-native business. Some of these considerations are specific to our email expertise, but many reflect best practices for securing cloud services of every stripe.
Email security isn’t what it used to be
From user notifications to transactional messages to social updates, email is a proven reliable and effective way for businesses to drive customer engagement and growth. That effectiveness is highly dependent upon the trust customers place in it.
Equally important, email is universal and cross-platform. That’s a fundamental strength of the channel. However, email’s nature as an open communication platform also means that it is susceptible to attack on the infrastructure that hosts it.
When most of us think about email attacks, it’s likely that message-borne risks such as spam, malware, and phishing are what come to mind. In the past, perimeter defenses like spam filters and virus scanners were a typical (if porous) line of protection.
Today, a comprehensive industry system that includes ISPs, inbox providers, and anti-spam vendors has made great strides towards solving the email spam problem. And while email does remain a major target for phishing attempts, the email industry has taken steps with standards like DMARC that help reduce many types of phishing vulnerabilities.
Still, breaches will occur, as shown by successful attacks on organizations like the Democratic National Committee, Anthem Health, and Sony Pictures that all involved email as a successful attack vector. In each case, hackers exploited messaging security and authentication weaknesses to breach the perimeter and steal sensitive information. Once they had a foothold in an organization, they were able to pivot and expand the breach.
High-profile cases like these are just the tip of the iceberg. As the state of the art in security in email has advanced, so have the threats. Email systems are constantly being tested for vulnerabilities by adversaries ranging from amateur hackers to advanced state actors and every threat in between.
Keeping it in-house is a false sense of security
In fact, the environment has become so hostile — and the threat models so varied — that few IT teams have the resources or bandwidth to keep ahead of the curve and protect their email systems. Today, only the world’s most sophisticated businesses can deploy the technology and staff needed to counter today’s threat environment. And the deeper a company’s footprint across the technology stack, the more complex (and resource-intensive) this effort becomes.
Let’s set aside physical aspects like secure siting, resilience against natural disasters, and even hardening against violent threats such as terrorism. Complex issues such as network defense and isolation, server and operating system security and encryption, and specialized hardware (maybe even custom silicon) for handling sensitive information must be understood and addressed. Beyond that, consider ongoing operations: continuous risk assessment, threat monitoring, and mitigation are all needs requiring significant investment in highly skilled staff working around the clock.
Every layer of the stack is a potential vulnerability, and your team has to secure it. A weakness at any point means that one of the bad guys can gain a foothold into your infrastructure and use that leverage to move around, find targets, and inflict damage. In the case of a recent, well-known breach at Target, for example, attackers got in through systems embedded in the air conditioning control systems and used that access to penetrate more valuable, vulnerable systems on the network.
And all of this is to achieve a baseline that offers no competitive advantage — indeed, that only offers risk.
The cloud’s core infrastructural benefits include rethinking the role of security
These risks and costs are why progressive IT teams understand that self-managed email delivery infrastructure — whether literally in-house or in third-party data centers — is almost always less secure and more expensive than more modern, cloud-based alternatives.
The many advantages of the cloud have been discussed widely. They range from the business flexibility that comes with shifting infrastructure costs from capital to operating balance sheets to the scalability, elasticity, and scalability that are intrinsic to on-demand computing resources. But a significant benefit not often discussed in business case studies is that cloud providers also deliver a much stronger security stack.
“Security by design” is intrinsic to modern cloud architectures. The controls and policy-based separation among infrastructural components ensure a level of compartmentalization that few traditional data center platforms can offer. Companies building on the cloud begin with a much higher security baseline, across the entire perimeter.
And because cloud platforms are services, not just code, operational security — whether it’s resilience against DDoS (distributed denial of service) attacks, detection of malicious code, or ensuring the integrity of email messages in transit — has become a fundamental quality of any cloud business. That requirement shifts the role of information security teams from a primarily reactive (and losing) position of plugging the holes in the virtual dike to a proactive stance that’s fundamental to our overall business operation and technology expertise.
That quality alone represents a major lift in the quality of security of technology services. And, certainly, cloud infrastructure providers now have the scale and importance to attract the best security and reliability engineering professionals in the world. But there’s another factor at work, as well.
The importance of domain expertise in cloud security
The best teams to run and secure software are teams who deeply understand the domain space and who work closely with the developers of the software. Database security experts are drawn to the biggest cloud database providers. The best email security and deliverability experts are drawn to the most innovative cloud email delivery services.
The interaction of developers, devops, and security teams is a major strength of modern cloud providers. Those close-working relationships drive a virtuous cycle few other businesses can match.
For a company like mine, building high-performing, reliable, and innovative email delivery necessarily entails making sure email infrastructure can’t be misused by spammers and that it’s secured against virulent threats like phishing or other harmful content. In fact, we couldn’t separate the technology from the operational issues, even if we tried. They’re equally fundamental to why we’re in business. High-performance email and highly secure email delivery are our yin and yang.
In turn, we know our cloud infrastructure provider has got our back when it comes to basic network and platform security. As a service provider leveraging cloud infrastructure, we can defend one perimeter instead of multiple, and I can focus my information and application security teams on keeping our controls current and diligently monitoring our core services. In other words, we really can invest all of our assets in what we do best: email delivery — including our expertise in messaging security.
Cloud security means delivering more for customers
Every cloud service delivers an explicit functional value. And cloud providers face the additional, implicit responsibility of protecting their customers’ security and reputations. It’s a challenge, but it need not be a liability. In fact, as my own company has learned, it can be a strength.
Bringing our laser focus on messaging and email to the cloud drives a real advantage for us as a business. It’s also a reassurance we can deliver to our customers. The cloud gives us infrastructure security far beyond any alternative. We bring unmatchable email security with our domain expertise. And our customers therefore get both.
Email security in the era of the cloud is a critical concern for business leaders. Read this executive brief to learn more.
Steven Murray is Chief Information Security Officer at SparkPost.
Sponsored posts are content produced by a company that is either paying for the post or has a business relationship with VentureBeat, and they’re always clearly marked. Content produced by our editorial team is never influenced by advertisers or sponsors in any way. For more information, contact firstname.lastname@example.org.