According to the majority of IT executives, security is a key ongoing concern. Yet, if you ask security vendors or look at survey data, most enterprises aren’t taking the steps necessary to protect their infrastructure or their data as well as they should. In fact, under normal conditions, talking potential security risks is an exercise in futility, because every business has appropriate and sufficient security measures in place. Just ask them.
Until recently, the answer you were likely to get from anyone but a true security expert was, “Sure, I am secure – here’s the firewall,” exhibiting a lack of understanding of threats and exposure.
Perhaps it’s fortunate, at least, that when major, serious threats, like Heartbleed or POODLE strike, or when major businesses, like Sony or Target (News - Alert), are hacked, security suddenly takes on a new face – one of greater urgency and sensitivity, as businesses instantly show concern over the safety of their corporate data.
“We see an uptick in requests when things like Heartbleed happen, asking us what we have done to address the threat,” acknowledges Jason Carolan, CTO at ViaWest. “At some level, it drives awareness.”
It’s not necessarily the events themselves, but what’s been left behind in systems, or what hasn’t yet been detected that can somehow be exploited, that poses the greater threat. Corporate networks and systems are attacked every day; the question is, how long does it take to recognize the exposure. There’s real latent risk in that nobody really understands what the current state or the “normal” or “good” state of data and infrastructure is anymore. There are just too many moving parts.
Still, the increase in activity shows progress is being made, and that at least some businesses are doing more to understand their current risk and exposure levels. Again a testament to some level of maturation in the market, the conversation is less about the lack of security in a cloud environment, and more about understanding the end-to-end security requirements based on business needs and processes.
It wasn’t long ago that cloud adoption was being stunted by fear and lack of trust – the cloud is not secure, said many. That view, however, exhibited lack of experience and understanding, rather than any innate cloud characteristic. Today, many of the security holes, while possibly opening up in the cloud, tend to be a result of the persistent use of HTTP and HTTPS acting as gateways to other services and opening up access to unwanted traffic. The cloud merely acts as a facility for accessing those applications and services.
“The cloud is as secure as your applications and your deployment capabilities and your architecture are,” says Jason Carolan, CTO at ViaWest. “There isn’t anything inherently more or less secure about cloud; it’s just a different way of deploying.”
For providers that include managed security services in their cloud offerings, the conversation is likely to be even easier, as they have a direct partnership between their cloud and security operations. ViaWest, for instance, provides managed security to some 80 percent of its cloud portfolio (a large percentage of the remainder have some level of involvement with security products and services on their own).
It’s not that companies intentionally disregard security needs. Rather, businesses are charged with keeping pace with the market, including both competitive offers and customer demands. For better or worse, that typically means security takes a back seat, because of a need to constantly upgrade, update, and patch applications and services. The real difficulty is that this constant change mode can inadvertently create security holes if care isn’t taken and, the complexity and today’s applications, devices, and networks only add to the challenge, and time-to-market needs can often be in direct conflict with compliance and regulatory requirements.
In fact, regulations, themselves, add to the complexity of maintaining compliance while updating applications. Many, such as HIPAA and FREPA, are vague in terms of defining specific requirements for compliance, making it difficult for businesses to understand their exposure, understand what controls are required, implement those controls, and be able to prove their existence and effectiveness.
Cloud computing certainly can help increase efficiency around application development and deployment. The increasingly popular DevOps model – a continuous build, continuous integration, continuous deployment environment – allows applications to be rolled out more rapidly, including updates and fixes, on the fly, in a live production environment. It ensures service continuity while enabling enhancements to be made.
But, because the updates are taking place in a production environment, the model also requires security to be as high on the list of priorities as the applications themselves. It requires a commitment to change management and an understanding of compliance requirements, and integration of the DevOps model as the instrument of change within the regulatory environment. Managed security is one option that addresses the issues without burdening staff with the tasks, but lets them go about their regular activities.
“We have seen companies that have been successful taking the DevOps approach,” says Carolan. “As long as they can roll those application changes through the right processes, they are able to meet all the change requirements on the compliance regulations while maintaining security, because of how automated those processes are. The customers we see having the most success are those that really take change management very seriously.”
The key lies in the automation. If left up to what Carolan calls “hand-crafting on the keyboard,” the chance for configuration errors that create security holes increases significantly, exposing the business and its customers.
“Our most successful customers are those we can work with on the DevOps side, and really help get our change management processes into their day to day activities,” explains Carolan. “It’s not only very secure, but we help them meet their time-to-market challenges as well.”
Founded back in 1999, ViaWest has a record of delivering security and compliance services, along with a host of colocation, managed services, and cloud computing offerings from its 27 data centers. Having traditionally been focused on physical security, it has, over the past few years, shifted focus to network and application architecture and application code, to ensure the code being deployed is fully secure – just like all the other network and data center elements.
In the end, when people talk about securing cloud, the conversation is no different than securing applications or servers or devices anywhere else. Cloud is merely a different method of deployment. And as for the cloud providers themselves, they have a very clear need to take security as seriously as anyone, understanding that any exposure has the potential to impact hundreds, thousands, even tens of thousands of customers (and their customers).
“We spend a lot of time looking at our multitenant infrastructure and making sure our control systems and control planes and the base level security models are well defined and implemented,” explains Carolan.
That attention to security detail, along with the fact that the near totality of its cloud customer base is running production environments, helps explain the high focus on security – one which every business would be wise to adopt.
“If our cloud goes down, payments don’t get processed or ambulances don’t get dispatched,” adds Carolan. “We are really focused on the production environment, which is why the adoption of our security services is so high and why our customers place such high value on it.”
That value, of course, comes with a cost. One of the chief reasons security has often been overlooked is that, in conjunction with a misunderstanding of requirements and threats, it’s not cheap. To do it properly, there must be a willingness to spend more on security. How much more depends on how long a business has been negligent in updating and upgrading its security measures. Carolan says his security budget has tripled or quadrupled over the past three years.
“If you look at what’s happened over the last few years, if you haven’t doubled you security investment – or at least close to that – you probably aren’t doing enough,” says Carolan.
The fact is the sophistication of networks and data and application, and the amount of layers that need to be orchestrated together and provided protection are exponentially greater than even a few years ago. Firewalls used to be enough, but it takes much more than just a firewall. Security has to include intrusion protection, endpoint security, MDM, remote access management and policies, and other elements that are only starting to emerge, such as WebRTC security.
“You really have to look at it differently than you did two or three years ago,” adds Carolan. “Those customers that really get this are willing to spend the money for the compliance and security services, but they sleep better at night knowing they have those protections.”
In another three years, we will likely be able to say the same things. This is an ongoing challenge that must be managed and maintained as regularly as any other services or applications. The nature of hackers and cyberterrorists is such that it’s impossible to stay far enough ahead, if at all. Security is very much a reactive market, which is why increased sharing and collaboration around exploits and standards is a must.
There are more traditional players, like Symantec (News - Alert) and Trend Micro, who continue to make making major investments, but there are a tremendous number of startups and smaller operations, like Mitre, that are looking at things like behavioral analytics and collaboration in an effort to create more effective standards around security.
“Hackers will always have bigger guns,” concludes Carolan. “But with greater collaboration and sharing, the security community can turn a traditionally static industry and turn it into a behavior-based, more zero day-based environment that will provide more effective measures, especially against large-scale issues.”
Edited by Maurice Nagle