BSidesSF and cloud security: Move past fear and get to work, expert says

SAN FRANCISCO — Much has been made of the challenges around cloud security. And, argued David Mortman, contributing analyst at the research firm Securosis, much of what has been said has ranged from the misguided to outright FUD (Fear, Uncertainty, and Doubt) mongering.

More on cloud computing and security

• Cloud security predictions for 2011
• Cloud Security Alliance updates controls matrix
• Survey finds companies still struggling with cloud security

And, sometimes, the result is that security professionals push back on cloud initiatives out of concern surrounding their ability to secure these environments. “It’s time to get past all of the FUD surrounding cloud computing and ask what is specifically different about securing the cloud,” Mortman said to an engaged audience at the Security B-Sides San Francisco event held Monday and Tuesday this week.

All of the arguing as to whether public clouds are more secure than private clouds, or if securing cloud computing environments is more difficult than securing on-premise environments are red-herrings to the single most important question: Does the computing environment you are considering enable your business to do what it needs to do cost-effectively and within an acceptable level of risk?

Despite only a small percentage of businesses running a substantial portion of their IT within clouds, it’s only a matter of time before the majority of business-technology systems live within cloud environments. Mortman said that a recent cloud-based data center he helped to build and secure costs $10,000 a month. If that same infrastructure were to be built using a traditional physical infrastructure the initial outlay would have ranged from $1 to $2 million.

That means the question, for most security managers, is not if they’ll have to grapple with securing a cloud infrastructure, but when. Mortman said that effort should be approached much like any other outsourced IT arrangement.

“That means educate yourself on the operational environment of the cloud provider, and make solid recommendations to the business on how to move forward with a reasonable level of risk,” said Mortman.

The questions one asks a cloud provider would resemble questions that would be asked of any other outsource provider: What are their security and change management processes, how are employees vetted, how is the infrastructure secured from both electronic and physical attacks. What security features do they provide, such as network segmentation, strong authentication, and others. “If you can get the functionality your business needs with reasonable security levels than the tradeoffs are worthwhile,” he said.

Mortman used an Infrastructure-as-a-Service environment as an example. In such a situation, an enterprise will get a flat network with a firewall, no network segmentation, and limited web application firewall options. “You won’t have more advanced security like deep packet inspection, patch management, or intrusion detection systems provided for you. You get a lights out data center in which you still need to take care of many security responsibilities yourself,” he says.

“Fundamentally, it’s no different than building a data center, or renting resources from a co-location provider, but the costs will be much higher,” he said. “And you will still have many of the same security challenges to contend with,” he says.

Also, while the technology to secure cloud environments is still lacking in maturity compared to on-premise environments — that is improving all of the time, Mortman said. “Security people who are fighting the move to cloud need to start focusing more on how they can help the business to adopt cloud computing initiatives securely, and stop being a roadblock,” he said.

George V. Hulme writes about security and technology from his home in Minneapolis. He can be found on Twitter as @georgevhulme.