The following is a guest post by Fred Langston, Sr. Product Manager for VeriSign’s Global Security Consulting group.
With the stampede to the next big thing gaining speed, Cloud Computing and Cloud Services face the standard, yet utterly preventable, horse-before-the-cart security conundrum. Anytime paradigm-shifting technology that saves money and decreases operational costs hits the market, two things are certain – 1) your company, just like 99% of the other companies in your vertical, will be running with the pack straight towards rapid adoption, and 2) security tools, techniques, and control technologies to find and mitigate the huge business risks associated with the new cloud services are:
People, clouds and triumph, by cueller
- Lacking in essential functionality, scalability, or cloud-wide scope
- Not based on well-vetted best practice policies or standards specific to each particular cloud environment (because none exist yet!)
- Not able to provide the same level of visibility and granularity in security controls your company currently employs in their non-cloud, non-virtualized IT environments
Most likely, little (if any) thought has been given by the business about exactly what your company’s security requirements are for most cloud computing projects other than, “Our Cloud Services provider has assured us that…”
So, what are the InfoSec troops, fighting in the trenches, able to do to create the most secure use of Cloud Services possible, other than losing sleep? Well, anyone that knows me knows I’ll spout a best practice solution for everything under the sun given a sliver of an opening. It’s my nature. But, not here.
Cloud services seem to me to impose on us a devilishly more complicated, already barely tenable enterprise security tableau that we must design, implement, and operate in perpetuity. Like security’s not already hard enough or not already too expensive for management. Should we just resign ourselves to the fact that essentially we can no longer provide the security we expect for those outsourced cloud services, that it’s Contract’s and Legal’s and Audit’s problem now and not ours? Or, do we demand the right to dig? To dig deep into the cloud service provider’s…well, everything?
Why would we not hold a Cloud Services vendor, who’s running their security infrastructure in a very similar if not identical manner as a Managed Security Services Provider (MSSP), to the same standards of service that we demand of every MSSP in the space? How logical is that? If they really are protecting the systems, networks, and data to the level they promise to contractually, why would they not have the same set of data ready to share with us about security operations in ‘our cloud’? Only the Cloud provider can provide this information and that makes them an MSSP for the Cloud as well, by default. They have the firewall logs, IDS/IPS alerts, configuration data and the like for our cloud.
So, as an MSSP, I have to ask, “Where’s my daily aggregated alerts, change control logs, Firewall Rule changes etc, etc?” Seems to be a double standard we really can’t continue to live with if we plan on holding the line against the ‘bad guys’.
Possibly Related Posts:
- Selective Domain Filtering with Postfix and a SPAM Filtering Service
- Preventing Account Takeover, Enable MFA!
- Proofpoint Patches URL Sandbox Bypass Bug
- Improve Outbound Email with SPF, DKIM, and DMARC
- Life after G-Suite/Postini