According to Mark Nunnikhoven, Trend Micro Vice President of Cloud Research, the answer is obvious: You are. Your organization entrusts you with their data and they expect you to take the proper precautions.
We interviewed Mr. Nunnikhoven about risky assumptions companies make, detecting shadow IT, choosing a provider and the key to a resilient hybrid cloud. Despite obvious risks, he remains optimistic that the cloud is the way of the future
THERE ARE 6 LAYERS OF OPERATIONAL CLOUD SECURITY
According to Nunnikhoven, you achieve hybrid cloud security by first understanding the security stack and shared responsibility between on-premises data center IT and the public cloud service.
“There are six layers of operational security,” says Nunnikhoven: “The physical layer, which includes buildings and real estate leases, is the bottom of the stack. The next layer is infrastructure, such as power and cooling. Then comes virtualization, operating systems, applications, and data. For each of those layers, someone is responsible for security and operations. When you move into the cloud you share those duties with the cloud provider. You need to understand exactly what their respective responsibilities are.”
It is also vital to establish a recovery plan for when (not if) something goes wrong.
SENSITIVE DATA IS 99.999999999% MORE SECURE IN THE CLOUD
According to Nunnikhoven, keeping data in-house is riskier than storing data in the public cloud, as most IT departments overestimate their security capabilities. “The top cloud services offer up to eleven nines of availability (99.999999999 percent) and twenty-four hour expert security monitoring and response. Very few IT departments can match those capabilities in house.”
A MORE EFFECTIVE STRATEGY USES THE PUBLIC CLOUD FOR PRIMARY DATA STORAGE AND BACKS UP TO YOUR ON-PREMISE DATA CENTER OR TO A DIFFERENT REGION IN THE CLOUD WITH A DIFFERENT SET OF INFRASTRUCTURE.
UNEARTH SHADOW IT, BUT DO NOT BURY IT
Nunnikhoven feels that Shadow IT results from IT service quality limitations. “Most IT departments can’t match the effortless file sharing of DropBox and Box.” Rather than banning Shadow IT, Nunnikhoven suggests cooperation and education. “Go to your file sharing users and let them know there’s a corporate version of Box or DropBox that gives IT the visibility, controls, and reports that benefit the organization’s security stance.”
How do you discover all of your Shadow IT instances? “Start by talking to the finance department, as people rarely pay for shadow IT out of their own pockets. Then analyze outbound network traffic to see if some teams are making constant requests to cloud services.”
Infrastructure in the cloud scales up and down so quickly, there’s no way to put a fence around it all.
“It’s far easier and more effective to protect each of those assets where they are as opposed to where they sit,” says Nunnikhoven. “Yes, you want those defense layers but you need to armor individual soldiers as well.” This means building security features into your applications as they’re developed, instead of trying to secure them after they’re built.
NEVER ASSUME THAT YOUR DATA IS PROTECTED AUTOMATICALLY
The biggest mistake organizations make in the hybrid cloud is extending their existing data center into AWS, Google or Azure, wrongly assuming that everything will route through their security controls. According to Nunnikhoven, “Ignoring the native public cloud security controls is neither productive nor safe. Those that start with a cloud-native security perspective will have much less exposure and better overall security awareness and results.”
ORGANIZATIONS SHOULD RECOGNIZE THEIR NEED TO MOVE FULLY INTO THE CLOUD SOONER RATHER THAN LATER
“Your in-house data centers and investments won’t last forever,” says Nunnikhoven.” By the end of that five-to-seven-year data center lifecycle, it’s probably time to move it all to the cloud. Start designing your operations and security around that future and apply cloud-native philosophies and tools on-premises now to make sure you have one toolset and workflow across the hybrid environment.”
CHOOSE CLOUD-AWARE SECURITY SOLUTIONS
Make sure any hybrid cloud security solution you choose understands and integrates easily with AWS, Google or Microsoft Azure and will scale easily up and down automatically with the service. Look for programmability as well, as just about everything in the cloud is accessible via an Application Program Interface (API).
“The key to a resilient hybrid cloud is understanding that security is not simply about keeping things out.”
Nunnikhoven continues, “It’s really about making sure your servers and systems are doing what you expect and nothing more.” For example, make sure your shoe sales website processes only valid transactions and serves up traffic to valid consumers. Deploy multiple fallbacks for each control, such as an intrusion prevention system in addition to a firewall. You must test your processes and adapt continually as change is constant in the hybrid cloud.
WHEN AN ENTERPRISE-LEVEL BREACH HAPPENS, POINTING THE FINGER AT YOUR PUBLIC CLOUD SERVICE PROVIDER IN FRONT OF SHAREHOLDERS IS LIKE TELLING THEM YOU’RE FLYING BLIND.
Ultimately, you are accountable and responsible for proving that you have taken all possible precautions.