We kicked off our April #SecChat discussion by asking what security factors our community believed were inhibiting organizations from adopting cloud for the data center. The topic of control was quickly touched upon, as @LabNuke pointed out that access control is a key concern, and @KentMcGovern mentioned a loss of direct control over the environment. @BrianContos chimed in that with robust access controls and data protection, these objections to the cloud could lessen, even for organizations with critical infrastructure.
Another topic of concern was compliance and auditing. As @lkovnat mentioned, organizations have to consider data recovery if a cloud provider is being investigated – for example, in the recent case of MegaUpload. @KentMcGovern mentioned PCI DSS as another compliance concern, and how organizations will need to make sure that they still meet PCI standards when migrating to a cloud provider.
Still, these compliance concerns mentioned above will vary depending on which services will be cloud-based, and what data organizations choose to place in a cloud environment. As @BrianContos brought up, tagging data as it enters the cloud is essential in order to define what information resides there, even if it’s an unknown. And yet, therein lies another problem, as @Infosec_Tourist pointed out, metatagging can become a covert channel in and of itself.
Another question we sourced to our audience was whether or not compensating controls could provide the necessary trust of cloud providers in order to accelerate the adoption phase. @JadedSecurity chimed in that controls would have to be built into the application layer – and therefore the environment itself must be treated as hostile. So, if you build compensating controls into the application before releasing it, you should be able to trust them. @e_desouza added that if those applications can be reported on by a third party – like a digital certificate – they can become much more powerful.
Specifically, the most important compensating controls cited by our participants were application controls, encryption, and logical separation. One issue @JadedSecurity and @infosecmafia pointed out, however, was that despite their importance, hardware controls are usually taken out of the equation for many organizations. When you buy cloud services, you rarely have control over hardware, or how to manage, update or harden your instance.
But what about Software-as-a-Service (SaaS) providers? According to many of our participants, SaaS solutions still have a long way to go, specifically when it comes to the comingling of data. One issue that @msarrel brought up is that service providers’ security measures and responses need to be agreed upon up front. Another, according to @adammontville, that there is little to no flexibility in terms of consumer-grade SaaS. Nevertheless, @Shpantzer asserted that some SaaS services are quite secure, having been audited “to the hilt” by government agencies and enterprises for years. While @JadedSecurity agreed with this, he also noted that it all depends on your risk tolerance.
In a related question, @e_desouza asked what participants believed should be the role of cloud providers when it comes to responsibility for security and risk management. According to @adammontville, cloud providers have a responsibility boundary. Yet, according to @infosecmafia, if you are willing to put your applications and customer data in the cloud, you should be responsible for security testing. Why should a provider be responsible for a data breach of an app or service that a customer provides?
@e_desouza followed up by asking if our followers believed a day would arrive when cloud providers would have to take full responsibility for breaches. @andrewsmhay and @KentMcGovern didn’t think so – or at least, not without legislation and financial penalties. On the other hand, @erikremmelzwall was more optimistic, stating that responsibility will follow as customers evolve in security awareness. When it comes to legislation, @erikremmelzwall claimed that new legislature would only make customers more demanding of cloud providers as their risk value increases. @andrewsmhay pushed back, as he believes that legislation can be extremely useful, since without penalty, there is no motivation for providers to take security seriously.
In the end, there were some thoughtful final impressions to sum up our April #SecChat, with @adammontville stating that we’re still in for a wild ride in the cloud, especially as in-house security fundamentals continue to lag behind. @LabNuke added that we must remember that what was secure yesterday may be wide open today, due to undiscovered and unmitigated vulnerabilities. Constant monitoring, risk assessment and controls are needed, and as @KentMcGovern pointed out, our industry will need to adapt and overcome, and never stop learning.
Thanks again to everyone who joined our April chat. It’s always an educational experience, and we hope to see you all again during our May #SecChat on Embedded Security – 5/17 at 11am PT. Stay tuned here in the Security Connected blog and on Twitter at @McAfeeBusiness for more details on the topic, and how to join the chat.