Wrong assumptions and common mistakes around cloud security

By Benjamin Cher August 7, 2015

Businesses hamper cloud security with different security policies
Decision-makers are becoming more aware about security

Wrong assumptions and common mistakes around cloud security

BUSINESSES are increasingly consuming cloud services, with Gartner forecasting that spending on public cloud services for mature Asia Pacific markets (comprising Australia, Japan, New Zealand, Singapore and South Korea) will reach US$7.4 billion this year.

Despite this, there are still some wrong assumptions floating about when it comes to cloud security, according to Phil Rodrigues (pic above), vice president, British Telecom Security, Asia Pacific, Middle East and Africa, BT Global Service.

“I think one wrong assumption is that the cloud is insecure, which was something we saw three to five years ago,” he told Digital News Asia (DNA) in Singapore recently.

While the cloud is no longer assumed to be insecure, the way organisations handle it tends to make their implementation insecure, depending on where and how they apply their security controls.

“If they only put security between themselves and the cloud, they aren’t protecting any of the data and the environments between it,” said Rodrigues.

The cloud makes perimeters murkier, and organisations typically might have to manage their own private network, as well as the cloud, Internet connectivity, and external partners.

“They need to think where their users are and where their attackers are, and need to put security [measures] between their attackers and their data,” Rodrigues said.

Network traffic is now increasingly moving laterally, with data and workloads being moved to the cloud, which means it is not enough to just have security in-between the organisation and its cloud provider’s network.

With increasing communications between virtual machines (VMs), Rodrigues said he would recommend ‘micro-perimeterisation’ to protect that traffic, which he described as a “fundamental building block” for security.

“Micro-perimeterisation is just shrinking security controls down along all the virtualised images and virtualised networks,” he said.

“You need to put host-based security virtualised inside each one of those [security] controls … to protect the data as much as possible, so you can let the workloads shift between the public cloud, private cloud, and internal datacentres,” he added.

Mistakes with the ‘as-a-Service’ model

The popularity of the ‘as-a-Service’ subscription model is increasing, on both the enterprise and vendor side, with even Microsoft offering subscription models for its Office productivity suite.

These subscriptions are often cloud-based, adding another dimension to the cloud equation.

A common mistake organisations make in managing their ‘as-a-Service’ subscriptions is the inconsistency in their security controls, according to Rodrigues.

“They need to be consistently managing their ‘as-a-Service’ subscriptions in the same way across [these services],” he said.

“Don’t have one set of security [policies] with your application service provider, another set for your Infrastructure-as-a-Service provider, and third kind for your own network – you need to manage them consistently,” he added.

This inconsistency in security controls creates confusion among users and could lead to sensitive data being accessed via unsecured endpoints, he argued.

Another mistake that organisations make is not scanning their data across the different networks and platforms. They bring the data back from all the various sources, but do not do a threat analysis across all the data, activities and locations.

Since perimeters are no longer clearly defined, merely protecting the perimeter is not enough to guarantee security. Instead, organisations need to constantly monitor the network for attacks and suspicious activities, Rodrigues said.

ISP security issues

Many Internet service providers (ISPs) now bundle security into their offerings, but this is just a single layer of security between an organisation and an attacker.

“Yes, ISP security is definitely important, but no, you can’t just only do ISP security – you need local security as well," said Rodrigues.

“Not all ISPs can handle the large attacks, so you need to be able to stop those attacks before they get into the country.

“In general, we would like to see three layers of security – baking security into that local telco network is very important,” he added.

Another layer would be the local network. “Security needs to be pushed down as close as possible to the organisation – it needs its own security controls around its data, [with something as] simple as a firewall,” he said.

Finally, the cloud itself requires a layer of security, which can be used to mitigate Distributed Denial of Service (DDoS) attacks, which overload servers with requests, rendering websites inaccessible. This layer can redirect DDoS attacks before they can hit the domestic network.

Greater all-round awareness

Wrong assumptions and common mistakes around cloud security There are signs that customers are beginning to understand more about security and are rectifying commonly-held misconceptions, according to Rodrigues (pic).

Security now is increasingly becoming more than just a chief information security officer issue, but a concern across the entire C-suite.

“We are seeing a trend towards that, where IT is not something only for an IT manager, it’s important strategically for the CIO, COO, CFO and CEO (chief information, operating, financial, and executive officer), and they make business decisions,” he said.

This greater awareness across the C-suite has also opened up budgets for security, because it is seen as fundamental to the organisation.

Increased media coverage is also benefitting everybody, from the man in the street to key decision-makers, according to Rodrigues.

“For example, my mother pays a lot more attention to computer security now than she used to,” he said.