Pat G

Cloud security: Can we keep up?

Besides having to defend the perimeter from outside threats, there are events within the perimeter which are proving to be as dangerous, if not more, than external threats.

Big cloud services like Salesforce, Instagram, Facebook, Microsoft, Box, Quora, Amazon Web Services, Google and many more have begun appearing in the news for all the wrong reasons. The expectation is that more data leak SNAFUs will come to light as time progresses.

Let’s try to take stock of what’s happening.

Cloud today

In this part of the world, it had taken a long time for cloud to gain the level of acceptance it sees today. Critics were silenced because the technology was getting more things done quickly and in ways that on-premise technologies never could.

It unlocked innovation and sparked unicorns.

Companies like Uber, Grab, Airbnb, took advantage of cheap cloud computing to build themselves to where they are today.

Traditional multi-national corporations are also leveraging cloud technologies to transform themselves digitally, to keep with the accelerated pace of innovation and customer expectations.

And on top of all this, public cloud is provided by mega mammoth-scale hyperscalers like Google, Microsoft and AWS, which have the heft, depth and experience to know what they are doing.

But, according to a Gartner distinguished analyst, Andy Rowsell-Jones, 95-percent of CIOs they surveyed say that the cybersecurity situation is getting worse.

Have we all been lulled into a false sense of security?

The number of mistakes and misconfigurations of cloud settings that have led to sensitive and company data being left out for everyone to see, begs this question.

Security everywhere

During a panel discussion during VMware’s CIO Forum 2019 in Singapore, Andy adds that in many countries in Southeast Asia, cybersecurity is seen as an IT issue.

All the behavioural mistakes and bad cybersecurity hygiene will defeat even the best cybersecurity solutions. “It doesn’t matter how good the electronic countermeasures are,” Andy said.

He also pointed out that the dangerous nature of jobs in sectors like engineering and petro-chemical or oil and gas, has made it mandatory for companies to learn safe behaviours.

“It took long years to instill a safety culture in these industries.  But outside these industries, we are still teaching employees to think and behave in a safe way.

“Every mechanical measure to protect data is bypassable. The danger lies in the belief that some mechanical measure can defend me from my own stupidity.”

VMware’s security stance

During his keynote, VMware CEO Pat Gelsinger, pointed out that VMware doesn’t want to Detect and Respond, but instead Prevent attacks.

“You have to build security into the underlying infrastructure. And that’s a strategy that VMware is embarking on with key products like NSX with built-in microsegmentation, where we are lowering the attack surface with native firewalls per-VM (virtual machine) and at application level.

Being able to protect with the VM itself, learning with machine learning with AppDefense, and other features like native encryption, consistent identity management across all users and all devices.

These are capabilities that reduce the attack surface at the platform.”

A chat earlier with other VMware executives reveal they believe their solutions are in a unique position.

VMware’s tech evangelist Motonori Shindo said, “Security is usually accomplished from the VM side or networking side. But VMware as a hypervisor company runs its solutions in the middle. And applications usually sit on VMs which are on the hypervisor layer.

So there is no risk of compromise from the networking layer because the network and apps are isolated from each other.  Therefore network has no visibility into the app layer.

According to Shindo, the hypervisor runs between VMs and apps. “It is close enough to the app to see it, but also isolate it from the VM.

“A lot of new things can be done in the security space (with the hypervisor layer) because of this capability.”

 Training

Gartner’s Andy observed, “Compute, network and storage – the folks trained in these have to transition go becoming a buyer and orchestrator of cloud services.”

Maybe therein lies the problem. People who were meant to do one thing, suddenly being thrust into doing other functions, as well.

Commenting about all the recent data leaks SNAFUs, IDC’s VP of IT Security Practice Business, Simon Piff said they happened because they just didn’t have time to do the training properly.

“The real issue here is culture. There’s the database administrator who thinks he was never meant to do security.”

And they usually do not want to budge or learn something new.

“These days, the IT business is about lifelong learning. If you are not spending 20 percent of your time learning a new skill outside of your area of comfort, then you are not doing right by yourself,” Piff said.

Maybe it will reduce the number of data leak and cloud misconfiguration SNAFus, as well.

 

View the video here.