The age of cloud security gives rise to the somewhat mixed metaphor of a cat and mouse game played out on shifting sands. Cloud security professionals face a multidimensional conundrum as they try to keep pace with changing technologies, upgrades, internal political pressures, and of course external infiltration attempts. Danger can come from the outside or within. It can be mechanical, software driven, or the fault of human beings. And answering the call at the end of this long list of stresses and priorities is a hugely busy, often overworked security team.
So what do they have to say about it? We asked the CEO of (ISC)², a global leader in information, cyber, software and infrastructure security certifications, including the Certified Cloud Security Professional (CCSP℠), and two CCSP-certified security experts to share some of their knowledge and observations. What have they seen? What worries them, and what advice would they offer? Here are a few of their revelations.
“Everyone is migrating to the cloud,” says Adam Gordon, CCSP, and author and instructor for (ISC)². Through organizations, large and small, public sector and private, as well as millions of individual consumers, every device is connecting and interrelating with every other in ways that no one can accurately map. “The problem is, we don’t always understand what cloud means as we start to consume. As a result, there tends to be a gap where consumption is a lead indicator and security is an afterthought.” Gordon points out that the causes of major breaches can often be tracked to lax behavior on the part of individuals. “Do they understand the implications of allowing an application on their phone, to use the phone’s location services to provide location information to a cloud service? How is that being used? How is it being archived? How is it being tracked?” he asks.
People place a great degree of trust in their systems and their providers and, for Adam, this is not enough. “I think the mistake we make today, or that we have made historically, is we put faith into the provider and say, “they’re going to take care of it…” and we don’t verify. Adam prefers to embrace the phrase used by President Reagan during the 1987 arms control negotiations, and taken from a traditional Russian proverb: trust but verify. “If you take the trust but verify approach, we come up with a solution that actually leads to cloud security. If we just trust, but don’t verify, I think we’re in for some nasty surprises along the way.”
These concerns are echoed by Pat (a pseudonym), a CCSP-certified cyber strategist with a federal Government department, who points out that a disturbing lack of cohesive policy makes security efforts much harder. “There is very little foundation for cloud environments right now,” Pat says, “the best things out there actually come from the vendors (as opposed to internal), but each vendor has different kinds of priorities. This makes it hard to determine what the threats are, as well as identifying what you don’t know about this environment.” Pat mentions that although external hacking gets the lion’s share of media attention, sometimes the problems come from more day-to-day maintenance activities. “Every time there is an update to your operating system, and you are running software, they can change your actual security configurations. You have to be constantly going back and reviewing what’s going on, and scanning your systems, and seeing what Vulnerabilities that previously had been closed have been reopened again; and that is a constant battle.”
Pat’s main recommendations for striving toward a more secure cloud-connected IT system are a common nomenclature and a wider vision. “In the CCSP training class, I found it highly beneficial to address the naming conventions of how we talk about the cloud-based environments,” Pat says. “You have to understand all those terms and work them through your head in order to have meaningful conversations.” In addition, there is a need for a defined set of policies, and dependable and thorough processes. For example, when an organization performs an internal audit, they should not simply audit the outcomes of a system’s configuration, but rather they should also audit the process to make sure that people are doing things in a way that consistently reaches management’s expected outcomes. Once again, this means understanding the actions of people, along with the technology.
Compounding the challenges for organizations and their security specialists is convergence, says David Shearer, CEO, (ISC)². People often see expansion, in terms of the increasing numbers of devices and technologies connecting to the global Internet. But at the same time, there is “convergence of literally every engineering discipline on the planet, such as mechanical, electrical, software, biomedical, and chemical,” resulting in a cross pollination of protocols and systems through which abuse and contagion have the potential to run rampant.
All three experts agree that the establishment of a common lexicon and culture of clear, proactive communications, paired with both mechanical and corporate awareness, is essential for helping to maintain secure systems, both locally and globally. This commonality and vision must be embraced throughout all managerial levels, reaching right to the top.
For more on the CCSP certification from (ISC)² please visit their website. Sponsored by (ISC)².
By Steve Prentice