Information Security in the Age of the Cloud
I love technology. It’s one of the reasons I live in Silicon Valley (aka Nerdvana). And although I’d like to say I’m young for my age, I’m old enough to remember LBPC (life before personal computing). Amongst the valley’s cultural attractions, my favorite is the Computer History Museum. As I tour the displays, I remember working with equipment and systems that are called artifacts today.
Computing technology has yielded profound benefits. I was reminded of this a year ago when I visited Bletchley Park and toured the buildings where British codebreakers made huge contributions during World War II. Even so, technologies developed with positive intent are often co-opted for negative purposes. Take email, for example. It emerged in 1973 and resulted in greatly expanded communications and collaboration. The first spam email appeared in 1978. By the early 2000’s, spam had become a persistent nuisance. And the problem didn’t stop at unsolicited marketing; it evolved and grew. The prevalence of viruses, phishing schemes, ransomware, and other forms of malware have grown steadily and made the online world a dangerous place. This is bad news for everyone except security software companies. The growth of their business mirrors the growth of online threats.
It seems as though every beneficial use of technology has a corresponding misuse. Cyberthreats continue to multiply as the network effect makes information more and more valuable. The trend is reflected in the growing rate of high-profile data breaches. The old approach of security through obscurity is no longer an answer in an increasingly interconnected world. Everyone is a target today. As a result, security is no longer the responsibility of a select few; it has become everyone’s responsibility.
Send in the Clouds
Let’s now turn our focus to cloud computing. Specifically, how does the cloud affect security? Since public clouds are highly networked environments on shared infrastructure, they can appear to be less secure than private data centers. Concerns about security have been cited by CIOs as the top barrier to cloud adoption for the past several years. However, that view is changing. As enterprises gain more experience with the cloud, they grow to understand that cloud security services are far more capable than those they have in-house. The cloud does not, however, absolve users from security responsibilities or concerns. This is best expressed by Amazon Web Services’ shared responsibility model that outlines the respective security responsibilities of the cloud provider and the customer.
So what does security in the cloud entail? Can the same tools and processes used in on-premises environments simply be shifted to cloud environments, or are there significant differences?
An Industry Perspective
Global management consultancy firm, McKinsey and Company, recently published an excellent report on the subject of cloud security, “Making a secure transition to the public cloud”. In it, they write that:
“using the public cloud disrupts traditional cybersecurity models that many companies have built up over years. As a result, as companies make use of the public cloud, they need to evolve their cybersecurity practices dramatically in order to consume public-cloud services in a way that enables them both to protect critical data and to fully exploit the speed and agility that these services provide.”
They call for companies to take “a proactive, systematic approach to adapting their cybersecurity capabilities for the public cloud,” based on the following four practices, which the article describes in detail:
Developing a cloud-centric cybersecurity model;
Redesigning the full set of cybersecurity controls for the public cloud;
Clarifying internal responsibilities for cybersecurity, compared to what providers will do; and
Applying DevOps to cybersecurity.
They also call for a broad security focus, including groups that traditionally haven’t had strong security responsibilities:
“Many developers will need additional security training to provide effective support during and after the public cloud migration. Training also helps developers understand the security features of the tools they are using, so they can make better use of existing security APIs and orchestration technologies and build new ones.”
The article goes on to describe a combination of security and DevOps (sometimes abbreviated as SecDevOps). The process is outlined in the following figure:
With SecDevOps, McKinsey says, “a properly trained development team is the security team.”
Instilling a Security Mindset for the Cloud
To summarize, when moving to the cloud, security must be a central focus. The good news is that cloud service providers invest huge amounts of resources in security, and they offer a wide range of highly capable security services. However, to take full advantage, companies need to reexamine their security approach. They need to instill a security mindset across their organization and design security into all aspects of their operations. By doing so, they can take full advantage of cloud agility, scale, and economics, while avoiding the very real dangers that lurk online.
Next week, my colleague Ryan Smith will blog about a recent Celent whitepaper, Security for Core Insurance Systems in the Cloud, that serves to help guide insurers in understanding security as it relates to the cloud so that informed decisions can be made. In the meantime, learn more about what Guidewire is doing in the cloud here.