It took a while for companies to accept the idea that cloud architecture was secure. Now, has that acceptance swung too far the other way? For insights on the real state of cloud and workload security, we checked in with a cloud security expert, Rajiv Gupta. Rajiv is senior vice president of the cloud security business unit at McAfee. With more than 20 years of successful enterprise software and security experience and more than 45 patents, Rajiv is recognized as a web services and security pioneer.
Q: What’s one of the most common and maybe the most dangerous misconceptions companies have about cloud security?
A: Cloud service providers ensure their service is secure but that does not relieve companies of the responsibility of following good security practices. Among the large providers of software as a service, such as Microsoft Office 365, Salesforce and ServiceNow, and the large cloud infrastructure companies such as Amazon, Microsoft and Google, all do a really good job of making sure their infrastructure and services are secure — storage, servers, networks, operating systems and patch management. All of that is very secure.
Research firm Gartner stated that, at least through 2023, 99 percent of cloud security failures will be the customers’ fault. That means —while the underlying cloud service may be secure — organizations [also] have to ensure they are using those cloud services appropriately. Cloud security is a shared responsibility between the cloud service provider and the organization using the cloud service.
For example, if an employee at my company shares confidential data in [Microsoft] OneDrive with a competitor, that’s not Microsoft’s problem. That’s my problem. If my organization does not configure multifactor authentication on Office 365 and therefore exposes it to some of the very common ways of password guessing and attacks, that’s not Microsoft’s problem. That’s my problem.
The reality is that comprehensive cloud security requires shared responsibility and the customer’s share is the largest part.
Q: What are some of the specific steps companies can take to ensure the safety of those workloads and data?
A: I think of it in three stages — visibility, prevention and detection. The first thing is to construct an inventory to understand what needs to be guarded. Where are my workloads? Where are my applications? My containers? My data? What SaaS [software as a service] applications are my employees using? If I don’t know where these things are, I have no way of securing them.
The next step is to define policies that can prevent incidents. For example, what data can be shared, and what’s confidential? Who can share what, and with whom? When those policies and boundaries are established, I need to have the ability to enforce those policies across multiple cloud providers, both SaaS and infrastructure providers.
We all know that policies will never be perfect. So, I would also need to implement a third step — which is to observe the behavior of my assets, my data, my applications and how they are being used. Applying behavioral analytics, I can assess if they’re being used the way I anticipated or if there is evidence of anomalous behavior I should know about. For example, an employee who accesses their records in HR [human resources] would raise no flags unless that employee is now suddenly accessing that information in a way they’ve never done before. If they’re looking up their records at midnight from another country, that would prompt me to take more measures to authenticate their identity and their actions.
Q: You’ve said that companies must understand normal behavior in order to identify abnormal behavior. Is that a special challenge in the cloud?
A: Yes, distinguishing between normal and unusual behavior is more challenging in a cloud-based environment because the usage patterns in the cloud are very often different than we would see in on-premises environments and applications. There is much more sharing in the cloud. Much more collaboration in the cloud. As a result, most organizations don’t know what’s normal for an employee, an application, a virtual machine or a container in a cloud environment.
It’s really important that the security control the organization specifies allows it to prescriptively do things in a proactive, friendly fashion. That control must also have the ability to learn behaviors and understand what actions are consistent with that behavior and which are not. This means I don’t have to specify normal behavior. The system will recognize something that’s different and notify me.
Q: How do you determine the balance between maintaining system security and giving employees access to the services and data they need?
A: Balance is really important, and it has shifted. We all know that if security prevents an employee from getting their job done, the employee will go around the security. When security adds friction to productivity, that security has failed. Thankfully, the technologies are now available today to enable companies to address security needs without getting in the way.
So today, the best security organizations are the ones that consider themselves the Department of Yes rather than the Department of No. Yes, go ahead. We’ll make sure that we deploy the security controls in a way that protect the organization — for example, by preventing sensitive data from being inappropriately shared — and at the same time are transparent and do not prevent employees, partners or customers from getting the job done.
Interested in learning more about moving to the cloud? Check out these other cloud articles on THRIVE.