Dan Kaminsky’s BlackHat 2016 keynote – which was commendably entertaining – touched on a debate that has long been festering in the IT security research community: does virtualization – essentially the whole premise of cloud computing – constitute a security boundary?
In my view, that debate has always been slightly off the mark. Virtualization was originally designed as a way to increase hardware utilization, essentially driving down the effective cost of expensive servers. Yes, that should remind you of cloud computing, but like most things in IT, virtualization was about cost savings, not security.
At the advent of the current public cloud era, virtualization had to be implemented, configured, and deployed as a security boundary in order for those services to be viable. Therefore, the question isn’t whether there’s a security boundary between one of your virtualized resources and the rest of the cloud. The boundary is indeed there, which is actually good news, because everyone’s using it.
Instead, there is a better question to ask: what can I do to protect myself from inevitable breach of my cloud based resources? The answer: the same things you’re (supposed to be) doing to protect your on premise computing resources.
Even better question to ask: what are the unmitigated risks?
We’ve been seeing for years how cloud adoption can put the IT team at odds with the software development team. The IT team imposes compliance controls on behalf of the board of directors, the net result of which is that the rate of IT resource onboarding is throttled. That worked fine until public cloud came into its current form. Now, if your internal business teams are waiting on IT, they are falling behind your competitors, whatever your core business happens to be.
Even non-technical CEOs know that if business velocity can increase tenfold by transitioning certain functions to the cloud, that’s a good thing (and inevitable). CISOs know that, too, and they are – or should be – concerned.
Should you trust the public cloud? The answer for your C-suite executives is yes. The answer for your IT security team is no.
The CEO wants to grow the business. That hasn’t changed. The CIO is tasked with maintaining regulatory compliance and preventing any data loss that would materially affect the value of the company. That doesn’t change either.
Does public cloud make the CIO’s job harder? Yes, but not in the way people usually think. Public cloud vendors will be happy to talk to you about their compliance measures. No sweat there. And datacenter operations at the public cloud providers are usually vastly more secure than what most other companies can afford to implement, so we don’t get to play that card as an objection.
But data loss controls do get harder to enforce in the race to cloud, so the CIO’s job is harder. If employees are bypassing IT and creating cloud servers without a hardened security profile, without strong authentication, without a known configuration, without auditing, etc., then the business is less secure.
How to solve that problem? Rules and guidelines for public cloud usage. Use the carrot and the stick: make it easier for business users to deploy cloud resources in a secure way, and make it clear that there are penalties for putting corporate data at risk due to negligence.