Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Partner Perspectives  Connecting marketers to our tech communities.
SPONSORED BY
8/16/2017
09:00 AM
Tim Prendergast
Tim Prendergast
Partner Perspectives
Connect Directly
Twitter
LinkedIn
RSS
50%
50%

Cloud Complexity Mandates Security Visibility

The cloud is flexible, but security should be the top priority.

While cloud adoption continues at a fiery pace, the speed to migrate to this new platform sometimes comes at the cost of attention to critical security needs. CIOs certainly recognize and plan for data security, but because the cloud operates as a new paradigm, some IT professionals don’t fully understand the complexity of their new environment and how to be secure within it.

Ironically, the cloud is definitely a more complex environment, but it is also more flexible in serving customer's needs. To build an effective and secure cloud environment, your organization needs visibility across how your data and users are engaging with your environment, and how your various stakeholders are changing your infrastructure.

Let's first think about complexity, and we can start by questioning what that means in the context of a public cloud platform. Complexity doesn't have to mean difficult, however, and this is an important distinction. Among the selling points of the cloud is that it makes the life of IT admins easier; fewer physical assets to manage, a decreased reliance on technology expertise, and an easing of the overall technology coordination burden. While these things are true, ease of use and an elimination of some of the more arduous management duties is only part of the cloud story.

There are two aspects related to security that require attention, and herein is where you can see where things can get a bit complex:

  1. Cloud vendors use a shared responsibility model for how security management is conducted. This requires customers to maintain an always-on awareness of their responsibilities within the cloud. It is ultimately up to you as the cloud customer to ensure a secure and compliant environment for your own operations. Less work perhaps, because you don’t have physical assets to manage, but far from easy.     
  2. The cloud stack is made up of various elements, and each one requires different security and compliance requirements. The storage layer, for example, requires securing data access, having data encryption policies, and other types of rules for things like logging and versioning. With six different layers of the cloud stack, and with dependencies among them, there has to be some level of continuous coordination to ensure these pieces are all secure and compliant.

While I hope I've made the case for recognizing and handling complexity, it's also really important to understand that with the right type of security tools, much of the work of identifying vulnerabilities in the cloud can be handled in a continuous, automated way; this is one of the ways we distinguish between complexity and difficulty. All this complexity can be mitigated, in terms of the amount of work, but to do so requires visibility.

Cloud security is, in large part, about awareness. This includes the need to maintain visibility into your cloud environment at all times, the ability to act upon any issues identified to mitigate risks, and the need for increased automation of security efforts to apply emerging best practices as consistent and enforceable behaviors.

It’s impossible to properly secure dynamic cloud environments without truly knowing every interaction within your environment and in all corners of your cloud. In today's cloud platforms, however, things like elastic infrastructures and API-driven cloud service suites have changed the way security needs to be architected, implemented, and managed throughout the workload lifecycle.

The lack of skilled cloud resources has further compounded the problem. Countless IT and cloud security teams grapple with the ambiguity of what to monitor, when to monitor it, how to identify evidence of compliance, overall reporting requirements, and so on. What is clear is the need for automation in dynamic, cloud-centric environments. Without continuous automation and assessment, organizations lack timely visibility into infrastructure configuration and workload risk and will have a hard time proving any form of compliance in the cloud.

With increased visibility, teams can quickly mitigate the most common vulnerabilities in minutes to drastically reduce the organization’s threat surface, and then focus resources on issues that require more time and attention to fix. 

Tim Prendergast co-founded Evident.io to help others avoid the pain he endured when helping Adobe adopt the cloud at a massive level.  After years of building, operating, and securing services in Amazon Web Services, he set out to make security approachable and ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Commentary
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
Edge-DRsplash-11-edge-ask-the-experts
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
News
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Zero Trust doesn't have to break your budget!
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-36388
PUBLISHED: 2021-06-17
In CiviCRM before 5.21.3 and 5.22.x through 5.24.x before 5.24.3, users may be able to upload and execute a crafted PHAR archive.
CVE-2020-36389
PUBLISHED: 2021-06-17
In CiviCRM before 5.28.1 and CiviCRM ESR before 5.27.5 ESR, the CKEditor configuration form allows CSRF.
CVE-2021-32575
PUBLISHED: 2021-06-17
HashiCorp Nomad and Nomad Enterprise up to version 1.0.4 bridge networking mode allows ARP spoofing from other bridged tasks on the same node. Fixed in 0.12.12, 1.0.5, and 1.1.0 RC1.
CVE-2021-33557
PUBLISHED: 2021-06-17
An XSS issue was discovered in manage_custom_field_edit_page.php in MantisBT before 2.25.2. Unescaped output of the return parameter allows an attacker to inject code into a hidden input field.
CVE-2021-23396
PUBLISHED: 2021-06-17
All versions of package lutils are vulnerable to Prototype Pollution via the main (merge) function.