Security by default is a myth in the cloud world
Barracuda Networks’ product manager, Tushar Richabadas has observed that many customers are looking at cloud platforms and thinking that they are ‘secure by default’. The reality couldn’t be further from the truth.
This default security thinking is a product of misunderstanding about the Shared Security Responsibility (SSR) model. In fact Tushar broadly categorises three personas in the organisation when it comes to their approach towards security.
“The pessimist thinks that cloud is too unsecured and do not want to go onboard,” he said adding that these personas prefer to have ‘pets’ in the server room and on their own premises. Then there is the optimist who thinks the cloud IS secure by default and that everything would be taken care of.
And there is the last persona whom Tushar described as being a realist. “The realist understands the SSR model and put in the required levels of defences and ensure that while deployment is secure, it is also usable and automated as much as possible so things move fast at cloud speed.”
While every party involved in the deployment of a cloud-based workload is responsible for its security, they have to also be on the same page about ensuring security does not get in the way and null all the benefits of cloud.
What could go wrong?
According to Tushar, there is no dominant persona in the organisation. A preference for cloud, may simply be because it makes sense for the business model. “Smaller manufacturers of consumer products may be more open to cloud computing simply because it offers significant economies… it depends on culture and motivations and cost control. “
The mistake is in thinking when a provider like Amazon provides a cloud service, that security would also be inclusive in the service.
“Because of the certain limitations of cloud, things like segmenting in the cloud is different. You don’t own infrastructure, so you can’t separate hosts the way you would in your own data centre, for instance,” Tushar described. “Customers need to go beyond, they need to go defense in-depth.”
“With a cloud platform like AWS, you have a choice of infrastructure-as-a-service or platform-as-a service, and a lot of responsibility still falls on you. This is very clearly described by AWS in the Shared Security Responsibility model, and by Microsoft in their Shared Responsibilites for Cloud Computing whitepaper”
He explained that in a way, a cloud model is similar to an on-premise model, with specific challenges that cloud brings. “You can still be infinitely flexible, but the network, application, security layers, the data governance, identity access management, encryption and more… all these transfer to you.”
Barracuda Networks has a role in educating their customers and talking about these challenges. “We let customers know that there are a lot of things left unsecured if they don’t use proper solutions on the cloud,” said Tushar, who also added that now AWS starts deals by showing potential customers the SSR model.
What Barracuda can do is provide customers with easy ways to secure their network and application infrastructure on the cloud. Tushar explained, “Secure connectivity to cloud resources is the base on which a successful cloud deployment rests on – and the Barracuda NG Firewall is a powerful asset in helping you deploy securely to the cloud. Web, mobile and API applications deployed on the cloud need specialised protection, which is offered by the Barracuda Web Application Firewall.”
He also observed, “It takes a while to mature in any situation. Typically customers take some time to learn and mature with new technologies, and this is going to happen with the cloud. However, with the cloud they need to learn and understand faster, since their resources are more exposed.”
In essence, it takes time to understand what the SSR model actually means to your organisation, but things are moving at cloud speed, which is faster than when you are on-premise.
If not done right, organisations can be equally exposed if not more, so experienced guidance and appropriate security solutions already in place, can help a lot.