How do you secure the cloud? New data points a way

Reports show big differences in risk among public, private and hybrid cloud deployments. Here’s advice on the tools, information and organizational structure needed to execute a successful cloud security strategy.

1 2 Page 2
Page 2 of 2

Regulatory compliance a concern for the cloud

These blindspots and low information visibility could create privacy and other regulatory compliance issues. Sixty-six percent of VansonBourne respondents say lack of visibility will make GDPR compliance difficult. 

The CSA survey also addressed compliance issues, particularly around ownership of security and compliance. Only 16% said they had a dedicated cloud security team, while 79% said IT was responsible for cloud security. 

Most respondents (57%) were concerned about regulatory compliance regarding cloud services, and the report's authors noted that there is ambiguity over how organizations leverage cloud platforms for compliance. That would seem to be an argument for giving ownership cloud security and compliance to a specialized group that understands the technology and requirements.

Will machine learning help?

Cloud service providers are working to improve customers' ability to identify and address potential threats. Amazon Web Services (AWS), for example, announced two services in 2017 that rely on machine learning to protect customer assets. 

In August, AWS announced its Macie service, focused mainly on PCI, HIPAA, and GDPR compliance. It trains on the users' content in Amazon S3 buckets and alerts customers when it detects suspicious activity. AWS GuardDuty, announced in November, uses machine learning to analyze AWS CloudTrail, VPC Flow Logs, and AWS DNS logs. Like Macie, GuardDuty focuses on anomaly detection to alert customers to suspicious activity.

The effectiveness of machine learning depends on models, which consist of an algorithm and training data. The model is only as good as the data it's trained on; any event that falls outside the data in the model will likely not be detected by a service like Macie or GuardDuty. 

That said, a cloud security provider like AWS will have a much richer data set to work with than any individual customer would. AWS has visibility across its entire network, making it much easier to train its machine learning model on what is normal and what might be malicious. However, customers need to understand that machine learning will not detect threats that fall outside the training data in the machine learning model. They cannot rely on service like Macie and GuardDuty alone. 

Who owns cloud security?

Given what’s at stake, it’s no surprise that 62% of respondents expressed a desire for their security operations centers (SOCs) to control network traffic and data to ensure adequate protection in a cloud environment. Half of them would settle for awareness of network traffic and data.

Gaining control or even full visibility might be a challenge for many organizations due to the structure of the groups that manage the cloud environment. While security operations are responsible for cloud security at 69% of the respondents’ organizations, cloud operations (54%) or network operations are also involved. This has resulted in confusion over who is taking the lead for cloud security and how teams should collaborate. In fact, 48% of respondents said that lack of collaboration among teams is the biggest roadblock to identifying and reporting a breach.

“Often, companies split responsibilities among the network, security and cloud,” says Clavel. “Each have distinct budgets, distinct ownership, and even distinct tools to manage these areas. Gaining visibility into the cloud to secure it requires breaking down the communication walls among these three organizations. The same security tools that are deployed on-premise will be able to also secure the cloud – so cloud and security teams need to communicate.” 

What type of person should take point on the organization’s cloud security? It will need to be someone or a team with the right skills and ability to commit long term. “Find the person or the team able to move toward the new cloud security paradigms fastest, and allow them to build your security strategy for the next three to five years,” says Govshteyn.

“In the last few years, this tends to be the IT operations team or an enterprise security team, but there is always an architect-level individual contributor or dedicated cloud security team at the core of this effort. This new breed of security professional can write code, spend more than 80% of their time automating their jobs, and view the development teams as their peers, rather than adversaries,” says Govshteyn, adding that at technology companies security is sometimes a function of the engineering team.

Although boards of directors are taking great interest in security these days, they won’t help at the ground level. “In reality, much of the critical decision making when it comes to cloud security today comes from technologists able to keep up with rapid pace of change in public cloud,” he says.

Further complicating the task of securing the cloud for more than half (53%) of the respondents is the fact that their organizations have not implemented a cloud strategy or framework. While nearly all those organizations plan to do so in the future, it’s not clear who is leading that initiative.

“Security and monitoring tools will also be able to leverage the same security delivery platform for more flexibility – so network, security and cloud need to also agree to share the responsibility of the security delivery platform,” says Clavel. “Companies that consolidate their security and monitoring activities – as part of the SOC – or at least to establish common budgets and shared ownership of a security delivery platform, are rewarded with better flexibility, faster decision making, and consistent security across on-premises and cloud deployments.”

Copyright © 2020 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
Subscribe today! Get the best in cybersecurity, delivered to your inbox.