Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

10:30 AM
Tim Prendergast
Tim Prendergast
Connect Directly
E-Mail vvv

Fear & Loathing In The Cloud

Whether you've already bought your ticket for the cloud or still have some issues to sort through, fine-tune your security practices to make sure your ride is a smooth one.

For those of us who started our careers amid the structure and disciplined rigor of old-school, waterfall, data center-centric application development, the cloud seems like a psychedelic trip straight out of a Hunter S. Thompson book. Code is being deployed in nearly continuous fashion. Servers are history. Penetration tests are so out of date by the time they're done, you might as well have not even tried. It can be overwhelming, and there are days you probably want to jump in a red Chevrolet Impala and hit the road.

Each week, I talk to folks in enterprises who are either beginning or accelerating their to move from traditional on-premises infrastructure to the cloud. They anticipate they will realize benefits including increased agility, reduced costs, flexibility, and ease of use. But along with this transition there are new security concerns, fear, and, yes, sometimes a little bit of loathing. They've heard cloud stories from their friends, after all.

However, almost all organizations recognize that they need to adapt and modernize their security policies and posture so they can continue to achieve corporate goals while taking advantage of everything the cloud offers. Security can be the ultimate accelerator or the biggest blocker in cloud adoption and technical innovation. Many security and development professionals are struggling to find the right cloud security approach to fit their modern IT practices. They worry most about the lack of control and visibility but also don't want to see their organizations fall behind competitors because they've slowed or blocked cloud adoption.

When it comes to cloud security today, there are many issues that organizations are trying to sort through, but here are a few I hear the most. 

  1. Organizations viewing the cloud as just another product: You can't make an assessment of your security today and assume it holds true tomorrow. Heck, it probably won't hold true an hour from now. The cloud is living, breathing, and rapidly changing. Security within this constantly changing environment has to be continuous, or it won't be effective. Traditional security solutions weren't created to fit the rapidly changing elastic infrastructure of the cloud. While attacks become increasingly automated, you need to adopt new security tools and techniques to work effectively in this new ecosystem.   

  2. Traditional scanning won't do: Traditional data center solutions rely on being in the path of traffic, being deployed within an application or operating system, or on traditional network-based IP scanning techniques. That approach doesn't work in the cloud. Users run application stacks on abstracted services and platform-as-a-service layers or leverage API-driven services that render conventional security solutions ineffective. Cloud environments are so fundamentally different from their static on-premises counterparts that they require an entirely new way of administering security practices, and this means adopting new cloud security technologies that provide extreme visibility.

  3. Differentiating real security issues from "noise": Teams working in the cloud benefit from speed and acceleration, but it's important to recognize how their approach to security must be vastly different. Discerning real vulnerabilities from solely infrastructure noise is a major challenge. All this change and noise make a manual inspection of the infrastructure too slow to be effective. The API-centric cloud world requires a new way for defenders to protect their environments, but not all cloud and IT teams really understand these security nuances. Security automation is one way to overcome the knowledge and skills shortfall that exists in every development and IT shop.

  4. Lack of compliance with API-driven cloud security: The emergence of API-driven cloud service suites has changed the way security must be architected, implemented, and managed. While the API is a completely new threat surface that we need to defend, it also provides the ability to automate detection and remediation. As new compliance benchmarks such as the CIS AWS Foundations Benchmark are released, we will have a means to assess our security posture against industry-defined best practices and ensure that we're taking the right steps to keep our customers, employees, infrastructure, and intellectual property secure. Cloud migration is happening quickly, and compliance with rapidly evolving security requirements is an ever-increasing challenge that must be resolved through automation. 

Whether your organization was born in the cloud, is migrating to the public cloud, is building out a private cloud, or has a crazy complex hallucination-inducing hybrid cloud strategy, the cloud is happening, and it's an absolute necessity that we adapt our security practices. No longer is security left to the security guys: we all have a part in creating a holistic, continuous, and rapid security program fit to support the cloud. As Hunter S. Thompson wrote, "Buy the ticket, take the ride."

Related Content:

Tim Prendergast co-founded Evident.io to help others avoid the pain he endured when helping Adobe adopt the cloud at a massive level.  After years of building, operating, and securing services in Amazon Web Services, he set out to make security approachable and ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
10/4/2016 | 12:39:54 PM
Re: Fear & Loathing In The Cloud
@anna.beh, I have to wonder what you do to make a statement like "obligated to go to cloud"? Give me one good reason to make your manufacturing shop floor dependent on an internet connection to get product labels printed after they make them? Or look up the next thing they need to make? 

And the cloud is more expensive in almost every case, from the rent you pay for everything to the beefed up WAN connections you need to depend on an internet based service. 

Unless you are playing the private cloud card, which is nothing more than fancy name for the virtualization movement that has been going on since the term "cloud" first came out.

I'm thinking your job is heavily vested in some cloud company to make a statement like that. 
User Rank: Apprentice
10/4/2016 | 12:44:18 AM
security for cloud computing
There needs to be development for security in cloud use so that way businesses can stay more secure. It would also be nice to see some of the main vendors offering certifications for cloud security.
User Rank: Ninja
10/3/2016 | 8:05:30 AM
actual purpose
many of us are inclined to believe the Real Purpose of "The Cloud" -- is (1) surveillance; and (2) license enforcement;   iow regulation of digital and network activity;
User Rank: Apprentice
9/30/2016 | 3:19:09 AM
Fear & Loathing In The Cloud
Today it is an obligation for companies to move to the cloud, but is it that security can be guaranteed in the same way? I'm not sure and I understand the fears of the company for the transition to the cloud!
User Rank: Apprentice
9/29/2016 | 11:12:17 AM
Makes me thing of this wonderful sticker :) and statment Cloud, what could go wrong :)

Its these types of thoughts that really make me think about some of the blind followers who simply think going to cloud will solve all of their enterprise problems.

And finding it might be easier only if you think about all the little things, but at the end its not perfect solution always.
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Zero Trust doesn't have to break your budget!
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-17
In CiviCRM before 5.21.3 and 5.22.x through 5.24.x before 5.24.3, users may be able to upload and execute a crafted PHAR archive.
PUBLISHED: 2021-06-17
In CiviCRM before 5.28.1 and CiviCRM ESR before 5.27.5 ESR, the CKEditor configuration form allows CSRF.
PUBLISHED: 2021-06-17
HashiCorp Nomad and Nomad Enterprise up to version 1.0.4 bridge networking mode allows ARP spoofing from other bridged tasks on the same node. Fixed in 0.12.12, 1.0.5, and 1.1.0 RC1.
PUBLISHED: 2021-06-17
An XSS issue was discovered in manage_custom_field_edit_page.php in MantisBT before 2.25.2. Unescaped output of the return parameter allows an attacker to inject code into a hidden input field.
PUBLISHED: 2021-06-17
All versions of package lutils are vulnerable to Prototype Pollution via the main (merge) function.