Public Cloud Security Is A Conundrum

Uploaded on 2018-08-09 in NEWS-News Analysis, FREE TO VIEW, BUSINESS-Services-IT & Telecoms

Ten years ago this week, Gartner released Assessing the Security Risks of Cloud Computing. Although several research notes in 2007 discussing SaaS security, the 2008 note co-authored by Jay Heiser and Mark Nicolett was Gartner’s first research using the term ‘Cloud Security’.

Unsurprisingly for a new domain, we had more to say about the hypothetical risks associated with the public cloud than we had to say about the specifics of managing those risks.

Most of the advice was generic, including bromides such as “Organisations that have IT risk assessment capabilities and controls for externally sourced services should apply them to the appropriate aspects of cloud computing.”

Captain Obvious couldn’t have said it better. That lack of specificity was representative of the conundrum that continues to frustrate the IT world: the cloud is just like traditional forms of computing, except that everything is different.

Our 2008 research highlighted 4 key findings that have remained significant considerations for the use of public cloud computing:

Finding 1: The most practical way to evaluate the risks associated with using a service in the cloud is to get a third party to do it.

Formal 3rd party evaluations (ISO 27001, SOC2, FedRAMP) are the only scalable way to provide a useful level of assurance on cloud provider security. Unfortunately, it still remains the case that only a small percentage of cloud service providers have undergone one. ‘How do we evaluate the security of CSPs’ remains my most frequent inquiry topic.

Finding 2: Cloud-computing IT risks in areas such as data segregation, data privacy, privileged user access, service provider viability, availability and recovery should be assessed like any other externally provided service.

In practice, the segregation of data between customers has not proven to be a significant problem, but the relative lack of transparency around the associated CSP technical and process controls remains a typical area of customer concern. There have been a number of small CSPs that have gone bankrupt, so vendor business viability remains a uniquely difficult aspect of cloud risk management, but in most cases, the providers have been so small that their loss was barely noticed by the enterprise. CSP incidents resulting in permanent data loss do occur, but are relatively infrequent.

Finding 3: Location independence and the possibility of service provider “subcontracting” result in IT risks, legal issues and compliance issues that are unique to cloud computing. Increasingly strict privacy regimes, and the dominance of the cloud services market by US-owned CSPs, has made data location a growing concern.

Today, new global norms for privacy or government data discovery look less likely than ever. The ‘chain of service provider’ model continues to grow in significance. The risks have mostly been sustainable, but it remains an area of ambiguity that would benefit from greater formalization on risk assessment and shared responsibility.

Finding 4: If your business managers are making unauthorized use of external computing services, then they are circumventing corporate security policies and creating unrecognised and unmanaged information-related risks. At one point, a significant minority of Gartner clients had policies that banned the use of unapproved external services.

The rapid shift in software delivery from a licensing to a servicing model made this unsustainable, and many IT leaders flip flopped, seemingly totally washing their hands of any responsibility for the implications of shadow IT. The number and significance of cloud services, especially SaaS, has exploded over the last 10 years.

Several Cloud Application Security Broker (CASB) vendors provide reliable evidence that most organisations improperly expose large amounts of sensitive data in the public cloud, not because the cloud services are ‘insecure’, but because they are being used insecurely.

CSPs normally do not emphasise the boring and unglamorous aspects of digital operations (indeed, a strong case can be made that most cloud services are marketed as a way to circumvent the IT department). Most cloud use scenarios remain a tacit agreement between the provider and customer to avoid awkward questions about user activity and responsibility.

As public cloud increasingly becomes the default model for software vendor delivery, and hosts a growing share of whatever computing is still left ‘in house’, it remains a marvelously ambiguous topic.

In the previous decade, recognizing the inherent difficulty in definitely pronouncing a cloud service provider as being ‘secure’, we began speculating on a philosophical question: if public cloud experiences relatively few failures, will people eventually come to trust the delivery model, even if they don’t have causal evidence?

Under what circumstances would the default assumption flip to ‘secure’. It took us until 2015 to declare “Clouds Are Secure”, subtitling that research ‘are you using them securely?’ The caveat about ‘secure use’ remains our most important finding.

Awkwardly, organisations that undertake heroic levels of CSP risk assessment effort fail to demonstrate a significant difference in experience in comparison to organizations that barely bother.

This is not saying that you can always take CSP security for granted, but it is difficult to escape the conclusion that many enterprises would be better served by spending more time on the things they can control, instead of trying to manage the things they cannot.

Most cloud security incidents involve avoidable customer misuse of the cloud service. Likewise, cloud service providers do a relatively good job of meeting their Service Level Agreements, but their customers often fail to take full advantage of configurable or optional resiliency mechanisms.

The best practice for safe use of cloud computing is not the crafting of the ultimate questionnaire, it’s the knowing how to use it appropriately.

This is the message - that responsibility is shared between provider and customer.

Ten years of focused research has reinforced Gartner’s observation that while public cloud is very much like traditional computing in the abstract, countless practices have changed in significance and form.

It has proven a secure and reliable starting place for computing, with overall low levels of failure. Keeping it that way requires the will to do so, though, and the IT community continues to refine its understanding of ‘how to use it appropriately.’

Information-Management:

You Might Also Read: 

How Cloud Computing Changes Data Governance Strategies:

The Cloud Is A Key To Cyber Defence:

 

« Social Media Giants Under Caution In Vietnam
Healthcare Cyber-Attacks Still Going Up »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

Perimeter 81 / How to Select the Right ZTNA Solution

Perimeter 81 / How to Select the Right ZTNA Solution

Gartner insights into How to Select the Right ZTNA offering. Download this FREE report for a limited time only.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

Aurec

Aurec

Aurec provides specialist recruitment and contracting services including ICT professionals.

EuroISPA

EuroISPA

EuroISPA is a pan European association of European Internet Services Providers Associations and the world’s largest association of ISPs.

Cyberkov

Cyberkov

Cyberkov services include Pentesting, Vulnerability Assessments, Digital Forensics, Incident Response, Source Code Analysis and Security Training.

Cobalt Strike

Cobalt Strike

Cobalt Strike is penetration testing software designed to execute targeted attacks.

Smoothwall

Smoothwall

Smoothwall develop intelligent web filtering, Monitoring and security solutions designed to protect users worldwide.

LSEC

LSEC

LSEC is a not for profit organization that has the objective to promote Information Security and the expertise in BeNeLux and Europe.

Cyber Resilient Energy Delivery Consortium (CREDC)

Cyber Resilient Energy Delivery Consortium (CREDC)

CREDC performs multidisciplinary R&D in support of the Energy Sector Control Systems Working Group’s Roadmap of resilient Energy Delivery Systems (EDS).

Fortra

Fortra

Fortra (formerly HelpSystems) is your cybersecurity ally, unified through the mission of providing solutions to organizations' seemingly unsolvable cybersecurity problems.

Vdoo

Vdoo

Vdoo provides an end-to-end product security platform for automating all software security tasks throughout the entire product lifecycle.

Southwest Research Institute (SwRI)

Southwest Research Institute (SwRI)

Southwest Research Institute SwRI are R&D problem solvers providing independent services to government and industry clients. Areas of expertise include Cybersecurity, Intelligent Networks and IoT.

Startup Wise Guys

Startup Wise Guys

Startup Wise Guys is a mentorship-driven accelerator program for early stage B2B SaaS, Fintech, Cybersecurity & Defense AI startups.

Cyber Griffin

Cyber Griffin

Founded by the City of London Police in 2017, Cyber Griffin is an initiative that supports businesses and individuals in the Square Mile to protect themselves from cyber crime.

Celcom

Celcom

Celcom is the oldest mobile telecommunications provider in Malaysia, providing solutions and services to consumers and businesses.

Topsec Cloud Solutions

Topsec Cloud Solutions

The Topsec Managed Email Security Platform eliminates Spam, Viruses, Malware, and Phishing.

European Union Agency for Network and Information Security (ENISA)

European Union Agency for Network and Information Security (ENISA)

The European Union Agency for Cybersecurity, ENISA, is the Union’s agency dedicated to achieving a high common level of cybersecurity across Europe.

PRE Security

PRE Security

PRE Security is leading the transition into the next era of AI cybersecurity with a new model: Predict & Prevent.