Many thanks to the organizers of Seattle Technical Forum, and to the sponsor of last night’s Side by Side of Cloud Computing (IV) event in Bellevue, WA, UnifyCloud (in particular, kudos to host Marc Pinotti for keeping the event on schedule).
The main theme that emerged from the sessions is that, while enterprise IT and developer adoption of mobile + cloud computing is continuously increasing, and continuously becoming easier (see AppSheet – wow) , so too are cloud security controls and policy monitoring becoming less intrusive and simpler to use. From a security practitioner’s perspective, this is good news indeed, because while migration to cloud-hosted services has been non-stop since the beginning of the modern computing age, the same can’t be said about the sophistication of defensive security technologies.
It’s not that the major cloud service providers (CSPs) are less secure than most on premise IT operations. Indeed, the typical equation is that the big CSPs are more secure, but also present a bigger more desirable target to attackers, and also imply less control. In any case, the customer simply must not make assumptions, any more than you can make assumptions about the physical security of your office building. Determine what controls you need, decide how they can be achieved, and then find the best price.
Proponents of Microsoft’s Azure cloud were well represented last night (where were the Amazon people?), and it was refreshing to see the new controls being tested to proactively scan cloud data and applications for security policy violations. (Passive application-level monitoring is one of the most underutilized tricks in the IT security professional’s bag. Use it!) Next step: put those same capabilities in the hands of customers.
Finally, when it comes to data security, whether in the cloud or on premise, defense in depth is the only winning strategy. It’s not enough to authenticate users at the perimeter. Instead, institute rings of control based on increasing data sensitive – what JW Secure calls a Stronghold. And use StrongNet to prevent your endpoints from becoming a vector for attacks.