topic Re: Don't Fear the Cloud! in Cloud Security

Don't Fear the Cloud!

david-shearer — Wed, 20 Sep 2017 17:05:28 GMT

http://bit.ly/2hfwl4K

NATURAL DISASTERS PUT THE "A" IN THE CIA TRIAD TO TEST

By David Shearer, CISSP, CEO (ISC)²

Let's face it, there's still a fair amount of fear when it comes to the cloud, and I know firsthand people in Texas and Florida recently experienced some devastating weather that tests individuals' and organizations' resiliency. Natural disasters like Hurricane Harvey, Irma and others around the world can serve as a reminder that cybersecurity, IT/ICT and OT for that matter, need to work in complementary ways to ensure not only cybersecurity resiliency but business and mission fulfillment resiliency (i.e. Continuity of Operations). I break these areas out, because I frequently hear them discussed in stovepipe ways. That vertical versus horizontal view simply does not serve the endgame for the organizations we serve.

I'm old enough to remember putting in PBX core communications switches. Then we moved to IP Trunked PBXs for addressing long-distance charges, and then facilities-based voice over Internet Protocol (VoIP) implementations. Early on, we had facilities-based VoIP scalability issues, but we eventually worked through most of those limitations. In the early days, VoIP-based solution architectures were constrained to a facility. Then soft phones came to pass along with cloud-based communications services. OK, you're likely asking, “Dave, where are you going with this?” Well, we talk a lot about the CIA triad: Confidentiality, Integrity and Availability. In the context of this post, I'm focusing on Availability without discounting the importance of Confidentiality and Integrity.

(ISC)² teamed with the Cloud Security Alliance (CSA) to develop the Certified Cloud Security Professional (CCSP®) certification. Both organizations believe you shouldn't fear the cloud, but you need to move solutions to the cloud in the most secure way possible. We all know there are no absolute guarantees when it comes to security, but leveraging best practices and sound risk-mitigation strategies gives organizations a fighting chance.

Cybersecurity is an important part of the equation, but we need to work in complementary ways with the IT, ICT and OT communities to help ensure the availability aspects of the CIA triad. When Irma impacted Florida, (ISC)² was fortunate that we designed our enterprise architecture leveraging cloud services. I won't go into details about this for obvious security reasons, but I will say in the case of a regional disaster like Irma, we were far better prepared to ensure availability of our operations and services. Cloud-based phone and service center solutions enable us to leverage remote work and shift work load to other regions of our operations. Our headquarters building was without power for days, and fortunately the computing and storage workloads we moved from on-premise to the cloud helped us sustain our operations with minimal impact to our members.

I write this merely to raise awareness and remind people there are no options available to us that are risk-free when it comes to leveraging technology to host our information assets and supporting our mission and business operations. I write this with a fair amount of trepidation, because it always seems that when we talk about how good we are, we end up being tested. However, in the wake of Irma, I feel compelled to write about how cloud-based communication services, computing and storage can provide for – when done well – operational and cybersecurity resiliency. Both outcomes are vitally important to any organization. The paradox we’re always trying to balance is operational capabilities with appropriate levels of security to manage risks. Suffice it to say, if it were easy, anyone could do it. Even with the best plans, our efforts can be thwarted. Again, that's where cybersecurity and operational resiliency converge. I break these two capabilities out intentionally to help raise awareness of the inherent tension between the two. In some cases, we may be able to restore operational capabilities in advance of cybersecurity confidence, but it's a risk management issue. How risk adverse is an organization? If an organization is willing to restore operations in advance of cybersecurity confidence, it certainly can. Cybersecurity is not a hard-and-fast gate to business or mission operations. Cybersecurity should provide a gauge to an organization to determine their level of risk acceptance, because there are no guarantees when it comes to cybersecurity.

This may sound like I'm ending on a fear, uncertainty and doubt note, but that's not my intention. I've seen where the cloud provides a better security posture for many organizations. Servers in office closets and even in fairly well design business computer rooms frequently will not provide service in regional property destruction and power outage situations. Additionally, some outsourced data center solutions will suffer from regional disruptions. In the case of Small and Medium Businesses (SMBs), this is very frequently the case. Organizations counting on single facility-based solutions in times of natural disasters can fail miserably at addressing the "A" in the Confidentiality, Integrity and Availability triad. So at (ISC)², along with our friends at the CSA, we say "Don't fear the cloud." Understand how to leverage the cloud for operational, cybersecurity and competitive advantage. Public sector organization should also consider the type of resiliency cloud-based solutions can provide during natural disasters. Few organizations can afford the type of geographical data center diversity that cloud solution providers can deliver, particularly when it comes to availability. An often overlooked capability when considering on-premise versus cloud-based solutions is continuity of operations (e.g., availability). Granted, information assets that are not “available” have little risk to confidentiality and integrity, because few organizations continue to operate without information asset and service availability.

That’s my story, and I’m sticking to it.

Re: Don't Fear the Cloud!

James — Thu, 21 Sep 2017 14:43:55 GMT

A great article and case study about using the cloud. I'm glad you all surived Irma!

Availability is key, especially in the ICS space. However, I worry about the day when there is SCADA in the cloud!

Re: Don't Fear the Cloud!

david-shearer — Thu, 21 Sep 2017 17:44:23 GMT

Great point. There are limitations to everything. Look forward to seeing you at Congress James.

Re: Don't Fear the Cloud!

RG — Sun, 08 Oct 2017 14:50:08 GMT

Worth noting: not all things "Cloud" are created equal.

Of concern: The message currently being marketed to the C-Suite is that "Cloud is much more secure than on-prem." Agree that *CAN* be true, sometimes, with some clouds, some cloud suppliers, and some uses of "the cloud."

Totally disagree that any old XaaS provided by any old provider in any old way with or without any particular security measures is necessarily more secure than doing the same thing on-prem, just because it's "cloud" and "cloud is more secure."

WE may all understand that, but marketers are marketing to C-level execs without InfoSec credentials with sometimes dangerous messages.

Just sayin.

Re: Don't Fear the Cloud!

Secujay — Sun, 08 Oct 2017 15:38:02 GMT

Nice read, and for availability (and resilience!!) it is true for a lot of countries. The key here, however, is to balance all aspects. Privacy is a big thing in the EU, so it throws in its weight in the cloud debate. The key difference, in my opinion, is in the US, privacy is treated like a commodity (covered by product law), and in the EU it's a personal right (like liberty). Cloud providers have enormously complicated service term structures (if you want a taste of hell, dive into the Microsoft agreement structure). This leads to large uncertainties in how data is treated in accordance with EU law.

This information asymmetry counteracts the benefits of cloud services like availability in mine opinion in a strongly regulated market like the EU.

Re: Don't Fear the Cloud!

jaweekes — Sun, 08 Oct 2017 17:16:37 GMT

I have just landed at home after attending a Microsoft Azure event, and I have to say that I am impressed with how much Microsoft is focusing on Security. They really seem to understand that companies are taking security seriously, and that security is one of the main reasons why most IT departments haven't moved into the Cloud.

I am not sure what the other Cloud providers are doing, as my company just deals with Azure, but I can say that I was impressed with Microsoft's security, and the fact that they are planning on making Security one of the main differentiating factors between them and the other Cloud providers.

Re: Don't Fear the Cloud!

shawnhart — Sun, 08 Oct 2017 18:57:50 GMT

In the wake of Irma I thought I'd share our recent Cloud experiences.

Some background: We are a small medical device manufacturer in Clearwater FL. Although it's an older company, we're just starting on our accountability and availbility journey and until I joined we have not placed a priority on DR/Business Continunity.

This was my first experience with the company preparing for what looked liked a category 5 hurricane heading for our building. We have a limited DR plan in place so fare, and the only data center/servers resides in the building. We do have a Unitrends backup system in place (both onsite, offsite, and cloud archive backups) So "protection" of the data is not an issue. Recovery time is.

Soo as the hurricane slowly approached we looked at options for getting our critical applications available quickly. We ended up creating a private VPN to Amazon web services, spinning up some servers to run our ERP systems in EC2, and as a test restoring our ERP systems from our Unitrends backups. All the research and implementation took us about 2 days (including the restore from the Unitrends system) and since have tested restore a couple more times and have it down to about 4 hours.

Fortunately the hurricane missed us. However as we continue to develop our DR/Business continunity plan we will definately continue to include cloud services in the design.

Re: Don't Fear the Cloud!

Caute_cautim — Sun, 08 Oct 2017 19:48:53 GMT

A very good piece. However, lets get down to reality. Look at the recent stories, due to misconfiguration issues on AWS and Azure, have led to security breaches. Some of these were purely due to the provider, not protecting their own infrastructure and clients on the basis of IaaS, and the client does all the rest - their responsibility.

No matter how good you think you are and whether you have been audited for consistency of your processes and controls, they are normally a point in time. Anything can happen between the first and last audit. Therefore I am a believer in third party services, providing an objective overall umbrella to the clients, but also to the provider themselves. Clients make mistakes, so do cloud providers, no matter how hard they try. With the deep transformations organisations are facing with digital disruption caused by IoTs, Cloud migrations and client demands, the world is rapidly changing and compliance costs are also growing exponentially at the same time. Organisations are under huge pressures and demands from their own clients. Clients can literally move overnight from one provider to another and the effects can be devastating.

The reality is within Cloud, the clients have to prepare for the transformation as well, not just the cloud provider to accomodate the clients requirements. It is a journey, that they have to embark on, and embrace. There is no point stating I will put 5% of my assets into the cloud, and hope to make vast savings in infrastructure and support costs, when in reality, these will only be realised, if one carefully works out the best migration strategy in alignment with the business needs of the organisation. It takes time, and careful planning, despite all the marketing hype out there.

Re: Don't Fear the Cloud!

redorbit — Mon, 09 Oct 2017 08:34:40 GMT

From what I hear and see, 3 things are stopping organisations from adopting the cloud:

- Control: many companies feel they will lose control of their data when in the cloud be it technical, legal and so forth as it travels through different data centers acorss multiple countries and possibly through different companies providing the service.

- Security: the question here is how do you secure what you don't control? how can a company explain to an auditor that they meet all their security standard when they don't know half the story of how they cloud provider operates and they can't enforce their desired security practice to meet certain compliance requirements.

- Jobs: lets face it, Cloud services created new job titles, but let go of a lot of IT Operations task force as not required. This is evolution and bond to happen, but the main people that happen to help make the call wether to Cloud or not are... you get it - IT Operations who are worried about their jobs.

Don't get me wrong, the Cloud is the natural evolution to meet some of the CIA triads requirements, but it's still fragmented, complex and doesn't meet the requirements for quick adoption to many organisations.

Re: Don't Fear the Cloud!

Rodney — Mon, 09 Oct 2017 12:02:12 GMT

Good point to consider about availability considerations in regard to natural disaster events. This is why when we audit diaster recovery plans and/or business continuity plans we always note the location of the secondary data center and make appropriate recommendations considering the natural disaster risks for the area.

Re: Don't Fear the Cloud!

jalberts — Mon, 09 Oct 2017 12:49:34 GMT

Hi redorbit,

I like your post, and think you have some vaid points. Here are my observations:

Control - The fears companies have about losing control of their data if it is hosted in the cloud are not unfounded. It is up to each company to properly classify their data, determine if the benefits of hosting the data in the cloud is worth the risk of unauthorized disclosure, and then develop controls for cloud-hosted data that address the risk. I think this is one of the reasons why hybrid cloud is getting a lot of traction. Some companies are hedging their bets and keeping the crown jewels close to the home.

Security - Again, these are valid concerns. One way that companies can address their concerns about future audit headaches is to get the auditors involved early in the analysis and design phases of cloud adoption/migration projects. Auditors should be able to suggest controls for cloud technologies that meet policy and regulatory requirements. It's too late to get auditor advice once the solution is up.

Jobs - Yep. When considering only the money spent, the OPEX model of cloud is often ends up being more expensive than the CAPEX model of on-prem. Companies then often offset the additional cost of cloud through redundancies/layoffs/outsourcing of IT Operations staff. It's debatable whether or not this will end up being a long-term trend. What is incumbent upon each and every one of us is to adapt to the times. Get as much experience as you can. Utilize resources like the free Amazon EC2 instance. Study. Certify. As with everything in tech, cloud will continue to evolve. It's not going to go away.

Re: Don't Fear the Cloud!

switzer — Mon, 09 Oct 2017 15:33:59 GMT

I dont but have tried and failed the CCSP already (by 2 questions :-() but it doesnt matter

whether i fear it or not where i am we are well into it.

I also find that once you have the cloud , suddenly you have a heap of new security devices

which you have paid for and need to use.

If you are on AZURE for instance you have microsoft cloud app security (an addalon CASB

bought by microsoft and therefore rather good), also the Microsoft security centre which is

also an aquired security device so thats good.

Now to develope some policies , get this gear monitored and working !

Thats a bit of a challenge!

Steve

Re: Don't Fear the Cloud!

MichaelS — Tue, 10 Oct 2017 12:05:44 GMT

You make very good points as to why people are concerned, but I would like to expand on those concerns with why they may not necessarily valid if an organziation takes the time to properly plan.

If architected and implemented correctly (BIG caveat), organizations have complete visibility of their resources in the cloud...there aren't any servers hiding under someone's desk. And with features such as AWS' Organizations, an enterprise can manage and govern all of their AWS cloud accounts to monitor and enforce enterprise policies.

The key to success is understanding the shared responsibility model and be diligent for your portion in the cloud. All of the news about breaches in the cloud have been from cloud customers not protecting their portion and not taking advantage of all the security features and warnings - no encryption, public access, posting credentials in code on GitHub, etc.

Taking things to the next level, an organization can automate and scale security so that very little human intervention is required. So not only can the cloud (with the right provider) be just as secure as on-prem, it has the potential to be more secure than on-prem.

We simply need to apply the same lessons learned from traditional IT to the Cloud. You can't rely on a new Firewall out of the box, it is your responsibility to configure it properly and maintain it. It is the same for cloud services, there are some default security settings, but it is still the customer's responsibility to configure, monitor, and maintain security.

Re: Don't Fear the Cloud!

DavidSaylor — Mon, 08 Jan 2018 18:20:31 GMT

Agreed. Just like driverless cars, the new technology doesn't have to be perfect, just better than the alternatives. But is should be better. Whether it is, will always depend upon how well it is done in house, and how well an outsource provider does it. An outsource provider who specializes in the service offered and gains economies and efficiencies of scale CAN be better.

With cloud, we must also be mindful of where their responsibilities end and what remains for the consumer organization. It is not a magic bullet.

Re: Don't Fear the Cloud!

jeffcoop9 — Tue, 10 Oct 2017 14:59:14 GMT

Great comment!

There are a few great articles on Netflix and their "chaos monkey" process that speaks to your point. Moving to the cloud alone doesn't create availbility, rather properly architecting availbility in the cloud and reguarly testing availbility creates availability.

Re: Don't Fear the Cloud!

sendero4406 — Tue, 10 Oct 2017 15:20:38 GMT

I work for a fortune 500 that has opted to move everything to the Cloud and if a system migration to the Cloud is not feasible ( like mainframe) then to contract a MSP.

I am firmly of the opinion that the business drivers of the decision to move to the Cloud largely determine the end-state security posture of systems not the Cloud technology itself. I would advise not to fear Cloud technology per se but trepidation of the specific business drivers of moving to it is valid - as those will determine your future security posture in the Cloud.

It is entirely possible, and I would argue likely, that a corporation's security posture will be substantially weakened in the Cloud if the "primary" driver is near-immediate CapEx and OpEx reduction rather than system availability, business agility or even increased operational automation.

Re: Don't Fear the Cloud!

mharrison — Tue, 10 Oct 2017 16:32:18 GMT

Nice read and I agree.

The cloud is an important asset to businesses. We need to embrace it beacuse at the end of the day it is about keeping the business up to bring in profits.