Do you know what Cloud Security is?
This question is not so easy to answer. One moment you think it’s a solution you deploy, but on second thought – it is a process. It can be your provider’s problem, but suddenly you are responsible for data leakages. Typically, there is more than one answer to this question, depending on the context. Unsurprisingly, some answers are wrong…
Cloud has been on CxOs’ minds for quite a while now, yet as the theme evolves we seem to have ever more questions to answer, myths to bust and misconceptions to clear. IDC’s research shows that 39% of European decision-makers consider Security to be a top-3 inhibitor for Cloud adoption. At the same time, 77% of organizations are considering the use of security services that are delivered from the cloud, while 10% already use cloud-delivered security ‘by default’ (software survey 2016). Why is it so controversial? To be blunt and fair, it is because there is a lack of consistency when it comes to how people define cloud security.
There are 3 main reasons why understanding Cloud Security is important for any organization. First, digitization implies scalability of enterprise processes which, quite logically, concludes with the Cloud. IDC research reveals that 41% of spending on new applications and 39% of applications replacement spending will go to Cloud-based solutions. The net result is that IT departments have a growing responsibility when it comes to business continuity. The derivative of that is IT presented with a growing responsibility for business continuity (see here and here). Recently, the role of information security in business processes has become a frequent topic in our conversations with CISOs, hinting at the central position that security increasingly occupies at the heart of enterprise operations. Finally, Cloud can be both a tool and a dangerous playground for the average organization. If you fail to comprehend and account for organizational risks attached to ‘non-metal’ infrastructure and how Cloud can protect you – you endanger yourself and the whole crowd of your co-workers.
A lot of vendors want to ride the rising wave of Cloud-awareness by introducing Cloud Security into their portfolios. It comes in all shapes and sizes, from cloud-native solutions and software-defined security to cloud-outsourced functions for SVM and sandboxing. Some solutions are absolutely great, others may need improvement, but all of them are best-applied for the purpose they are built. There is no “silver bullet”. The moment you hear that some cloud-based security solution can give you 99.99% protection, remember – such an animal does not exist.
To understand the “purpose” part we need to draw a line between in-Cloud and from-Cloud protection. Two differentiators should be inspected here – deployment and functionality:
Cloud Security Deployment Duality:
Implied by its name, in-Cloud Security resides solely in the Cloud environment (not leaving it) and runs on APIs. Its main purpose is to inspect and protect the changing environment as it scales and morphs.
Security from-Cloud utilizes a remote agent approach when computations and remediation are shifted to a scalable and flexible platform, while security is meant for the user on-premise. These solutions are built for processing outsourcing and filtering.
Cloud Security Functional Duality:
By deployment, in-Cloud Security is restricted to the infrastructure, applications and data residing in Cloud environments. Therefore, such solutions can be used for DLP (data loss prevention), data integrity inspections, application firewalls, in-cloud encryption, software-defined security workloads, and access management in the cloud.
From-Cloud Security implies that protection is delivered from the virtual to physical devices, or rather that threats are kept away from the physical perimeter and security management workloads are detached from the endpoint. This can come in the form of Web filtering, identity and access management functions, firewalls, security information and event management, intrusion detection/prevention systems, incident response and forensics, or messaging security.
Mind that there are functions that cannot be delivered either way. Although it may feel like the sky is the limit for Cloud security, IT sky hangs much lower than the one you see from the window. A good example would be endpoint antivirus or in-memory protection. With existing technology, it is impossible to offload scans and continuous processes to the Cloud. At any point in time, you need to have a local agent on your hardware. These solutions are hybrid or cloud-augmented – not based in the Cloud.
Purposeful use of the Cloud should remain at the core of any IT strategy, including security software strategy. Businesses may find themselves with a stash of Cloud security software of questionable utility if they blindly follow the cloudization buzz – and this is in the best case. Understanding the in-Cloud/from-Cloud concept can help to prepare adequate Cloud Security strategy and answer the following questions:
Will the business benefit from the Cloud Security? Assessing security requirements before going Cloud-first can save effort. If the organization is neither currently using nor has future plans to use the Cloud for business processes and have low fluctuations in security workloads, it’s wiser to postpone the migration of security activities into the Cloud, and instead reinforce on-premise capabilities (check for cloud-augmented solutions), or first build a general Cloud strategy.
Where is Cloud Security needed? If the enterprise needs to mitigate spikes in security workloads or unify across various devices, from-Cloud solutions should be first on the list. If the organization is actively exploring scalable environments for hosting client applications, corporate processes, or data management, in-Cloud is a must.
How should the Cloud Security strategy be enacted? When the purpose is decided, organizations should split their in-Cloud and from-Cloud approaches and “do not cross the streams” unless it comes to security management. Find the provider that does its job the best for each case by assessing their efficacy separately for both streams.
Don’t try to get too far ahead of the game. As said – assessing your needs, current posture and foreseen benefits must come first.
Next month we plan to publish a report under the European Security Strategies practice that will investigate the European Cloud Security landscape in more detail. The technology and strategy around its implementation are at the core of our research, and we seek to provide you with actionable advice. To know more about it, please contact Konstantin Rychkov.