At an event last week in San Francisco that covered a variety of cloud security issues, infosec expert Kevin Walker told attendees to be aggressive with cloud service providers and hold them accountable when it comes to security.
“The key for us practitioners is to go into this with eyes wide open,” said Walker, who has held senior security positions at Symantec and Cisco, among other global firms. He spoke at the Cloud Security Symposium, which was sponsored by Trend Micro.
The traditional focus on building fortresses with firewalls and IPSes won’t translate to the cloud, he said. Cloud provider requirements include increased transparency about their operations and how they detect rogue tenants, and information security pros need to be aggressive in making sure providers meet security requirements, he said.
That’s certainly easier said than done, especially when business units are going around IT and signing up on Amazon. It’s a hard to press for security when you don’t even know what cloud services your company is using.
In many cases, lines of business aren’t waiting for IT when they need something – they simply use their credit card to buy cloud services, said JJ DiGeronimo, senior accelerate practice manager and cloud strategist at VMware. “IT departments have true competition from outside service providers,” she told attendees.
“People are used to securing a box, but now we’re moving to securing the data,” she said. “Data is going to sit everywhere and you’ll have to manage it regardless of where it sits.”
Data-centric security has been an ongoing theme in the industry for several years as corporate network boundaries crumble as employees increasingly become more mobile. Enterprise adoption of cloud computing is becoming yet another driver.
“If you can’t control the systems anymore. … That’s the only way to do it [security] — to protect the data,” Trend Micro CTO Raimund Genes told me in an interview.
Trend Micro naturally has a vested interest in this trend – the company sells encryption products including a key management service for cloud and virtual environments – but it does make sense given that enterprise data is increasingly flowing to cloud environments and becoming harder to track. Maybe the rise of cloud computing will help push data-centric security into the mainstream.
In the meantime, if you’re looking for ways to track down unauthorized use of cloud services by your developers or sales executives, we published tips in this article.