The cloud offers huge business benefits — and new security risks. To learn how to root them out by implementing truly effective role-based access control, automation and self-healing architecture, application-centric security, and more, don’t miss this VB Live event.
Right now CEOs are more worried about cybersecurity than a recession — because the business cost of a security breach actually outweighs the cost of a large recession.
“Organizations now have a significant business position in cloud data centers,” says Mike Wronski, principal marketing manager at Nutanix. “They’re running important, business-critical applications. There’s a lot of complexity, and they don’t have a lot of control. The more distributed and spread out things are, the less control they have, and the more concern they may have that something bad may happen.”
Back in the day, perimeter defenses were much easier. You knew the borders of your enterprise. You owned the data center. You had the bad stuff on the outside and you trusted everything that was inside the wall. As we move to this multi-cloud, hybrid cloud world, we introduce SAS services, public cloud services, a combination of private data centers and public data centers.
“Now people don’t know where to build the wall,” Wronski explains. “Therefore, if you don’t know where to build the wall, you don’t really have any chance of success in protecting anything.”
C-level cloud security concerns
If you look at recent cloud security breaches, not all of them have been vulnerabilities, Wronski points out. People think it’s a hacker finding a back door. But the thing most of these events have in common is human error. A system has been misconfigured, or data left in public, or not even accounted for.
Those assigned with responsibility for security sometimes have no idea that an application being used was in the public cloud, a common side effect of shadow IT. It’s become so easy to leverage public cloud services by just running a credit card that almost anyone in the company can decide that they need a particular service, but the internal red tape is too complicated to navigate, so they expense an external cloud provider — and some valuable piece of corporate data ends up in a public cloud.
Another C-level concern is employee training. Your developers are proficient in on premises data center, but cloud is a new specialization. Are they deploying it in the most secure way? Do they even know what the best practices are? And are they training everyone in those best practices, or are some employees just not aware that a particular service resides in the cloud?
“The larger the organization — and they probably don’t want to hear this — the less covered they probably are,” Wronski says. “Just statistically, more than 70 percent of companies have had a breach of some kind. They just may not know it.”
The secret cloud security weakness
According to Wronski, the biggest mistake almost all companies make is focusing more on the technology than on people and processes — yet people and process are where most weaknesses lie.
“People often ask, what’s the best technology to protect me? What’s the next new technology that’s going to enhance my business?” he says. “But you have to pause and evaluate what has to change. Evaluating the people and processes first needs to be the focus. Then you can embrace the technology knowing you’ve thought about the risks and you have controls in place for those risks.”
Additionally, Wronski believes that there needs to be a big shift in approaching security as everyone’s problem.
“Organizations will always have a security team, but choices all employees make throughout their daily jobs may have an impact on security,” he explains.
That means company-wide education is needed to address everything from social engineering, (knowing not to give out company information if someone calls you and says they’re from IT and asks you to verify your password) to rules about using public cloud, to eliminating all traces of shadow IT by improving internal IT services.
“What’s the driver for someone going outside of company lines to buy something? It’s because it’s too inconvenient internally,” he says. “That’s a people and process problem that you can solve. It shouldn’t be less convenient to use your own stuff and force you outside.”
Companies also need to work from the assumption that there’s going to be a breach, and prepare themselves from there, with disaster planning or business continuity planning, which isn’t just for giant earthquakes, volcano eruptions, and other natural events anymore.
“That’s the kind of disaster people think of, but what does it mean if we have a security event in our business?” he says.
Cloud security tactics and tools
There are essential best practices, and while they’re not as simple as building a perimeter wall, they’re the tactics that will keep your data safe (or safer) in a hybrid cloud world.
Zero trust security: Virtualization has created a world where more and more things are software-defined, and that means fine-grained control over the network, servers, and applications. That lets you essentially draw walls around your data and services, only you’re making that perimeter as small as possible — usually a single application or a single server. It means you reduce communication and access in your data centers to only what’s exactly required, trust nothing, and only permit verified traffic.
“It’s a very closed model,” Wronski says. “It’s not an easy model. It’s much harder than other methods. But it’s far more effective at preventing breaches in general, and absolutely effective at preventing the spread, should somebody get in through a vulnerability.”
That’s a situation that often arises around standard IT patching: There’s a known issue with a piece of software, or the patch doesn’t cover the entire issue. A hacker finds that chink in the armor and, next thing you know, they’re inside your security wall. At that point they’re free to browse for other vulnerabilities. But if you’re using this zero trust concept, where you’ve reduced these walls down to very small enclaves of protection, then their ability to look for additional targets is reduced or removed.
Automation: The human component is your most vulnerable area, so automation is key, Wronski says. Automate everything — not just configuring, but validating your security with automation.
“If it’s an automated process and not a manual process, you have a much higher chance of going back and auditing your configuration and ensuring that you’re still secure on a regular basis,” he explains.
Visibility: You have to understand how your applications communicate, and where their components live. Is it in the public cloud? Is it all on premises?
“You have to see everything. You have to understand where everything is. Only then can you have a chance of writing security policy,” he says
Test your backups: It’s an old adage — backups are easy; it’s the restores that are hard. You don’t want to find out during an emergency that your backup process doesn’t work, that the data you thought you had safely stored away is actually gone. It’s also the way you circumvent ransomware attacks, in which a malicious actor comes in and essentially encrypts all your data, then sells you back the keys. If you have routine backups, you still have access to your data.
To learn more about the business advantages of a hybrid cloud architecture, reducing your attack surface with a zero trust environment, developing a human-proof security-first infrastructure platform and more, don’t miss this VB Live event!
Don’t miss out!
- Why you need a single, fully tested, security-first infrastructure platform
- How to converge storage, computing, and networking
- A full understanding of security best practices
- How to protect against data breaches, unauthorized access, and other threats in a multi-cloud world
- Demetrius Comes, VP of Engineering, GoDaddy
- Mike Wronski, Principal Marketing Manager, Nutanix
- Neill Ashworth, Security Solutions Architect, Nutanix
- Dave Clark, Host, VentureBeat
Sponsored by Nutanix