When cloud computing was new, questions swirled around the ability of cloud service providers to keep their infrastructure secure. As more and more businesses began migrating to the cloud, it became apparent that the major cloud service providers were better equipped than most organizations to secure their networks. But questions remain, and customers of cloud services continue to seek better ways to secure their data.
Today, cloud security is becoming less of a discrete practice and more of a primary element of overall security and data protection strategies, said Pravin Kothari, CEO of CipherCloud. “Cloud is so ubiquitous that securing cloud apps and resident data is itself among the top priorities,” he said.
Under the shared responsibility cloud model, much of the responsibility for securing cloud apps and data has fallen on the organizations using cloud services. Mark Bower, senior vice president at Comforte AG, a data de-identification company, said the lion’s share of the responsibility is with the data owner, even if the data is used, processed, and managed in a third-party cloud.
“So while shared responsibility may sound appealing, its 100% responsibility to the data owners when its crunch time.”
Cloud security trends reflect a concern with meeting that responsibility. Here are five of them your data security team needs to know.
1. Organizations are using centralized platforms to provide multi-cloud security
Since most organizations are using multiple cloud providers, they’re looking for a unified way to secure them. They also want a centralized way to apply security controls and compliance policies. One way they’re doing that is through a cloud security access broker (CASB), software that sits between cloud service users and cloud applications, monitoring activity and enforcing security policies.
“At this point, CASB is the leading approach to addressing this issue, and most companies have budget allocated for CASB procurement. The goal is to have consistent governance and manage risk across all the clouds in a central manner.”
However, this centralized approach to multi-cloud security may not sit well with some cloud service providers. “Most modern architectures are cloud-agnostic, so you can just write apps to a service tier, and the service writes to any cloud it wants to,” said Davi Ottenheimer, president of Flying Penguin, a security consulting firm.
“Cloud providers don’t like that because there is no exit value. It’s good for the market, but it deflates a lot of the lock-in that companies like Amazon have built their empire on.”
2. Organizations are taking steps to protect their data before it reaches the cloud
Growing concern over data breaches and a proliferation of new rules, regulations, and standards aimed at forcing organizations to take better care of the data they rake in from consumers has pushed businesses to start protecting information before it reaches the cloud.
When the first migration solutions came along, organizations were fairly cavalier about sending data to the cloud, said Ameesh Divatia, CEO of Baffle, a data encryption company.
“They would dump it into the cloud and let the cloud protection mechanisms take over. As migration became mainstream, security teams began to point out the vulnerability of that method.”
They began to insist that data be encrypted, masked, or tokenized before sending it to the cloud, he said. “Controlling data at the record level is becoming very, very critical.”
The rise of bring your own key (BYOK) is also part of this trend. Kothari said encrypting cloud data and securing the key away from the cloud service provider “is absolutely essential.”
“The latest trend is to enable data protection everywhere using rights-based management and authorizing specific users to decrypt the data at the specific time of use.”
A number of organizations are also choosing to encrypt cloud data broadly to meet legal and regulatory requirements, along with observing any of their specific organizational security policies, he said.
Davi Ottenheimer, founder and president of Flying Penguin, said BYOK was driven by regulators.
“Without regulations, we wouldn’t have it. The investments made in it are to allow people to protect themselves from cloud providers.”
BYOK isn’t for everyone, however. Eric Hanselman, chief analyst with 451 Research, said that it requires a level of sophistication and understanding about key management and key management systems that can present significant challenges for enterprise users.
“Taking on key management and doing it in a robust and effective way is not for the faint of heart.”
That may be why cloud providers offer fully managed key management services that are natively integrated into their offerings, which commonly results in encryption being enabled by default, for data at rest or in transit, and gives developers lifecycle management controls such as automatic key rotation and audit logging, said Joren McReynolds, director for product at Red Canary, a cloud-based security services provider.
“With businesses being held to numerous security and privacy standards, it’s advantageous for cloud providers to make this experience as seamless as possible, so businesses can focus on their business, not fiddling with the intricacies of handling key material correctly.”
Sid Dutta, Senior Data Security Products Executive, Micro Focus Voltage, said the BYOK creates a perception that organizations have better control and security of their data encryption keys, when in fact they don’t solve the fundamental issues associated with cloud data security, especially when these practices don’t apply to keys that actually encrypt your data. They apply at the higher data layer(s) of the key hierarchy and are still hosted on the cloud providers’ key management system infrastructure. On top of that, the data encryption keys are managed at the application layer once they have been retrieved from the KMS.
“Organizations should strive to adopt a Bring Your Own Encryption (BYOE) model wherever possible, and abstract the key management from the application developers and admins, as well as the cloud providers.”
3. Identity and access control in the cloud has increased in importance for organizations
Michael Dolinsky, co-founder and CTO of Ermetic, an identity and data protection company, said that identity and access management was in the hot seat today.
“Identity and access has become the new nightmare for the modern CISO.”
Micro Focus’ Dutta stresses that while encryption and tokenization of data is great, it’s equally important to ensure proper key management practices are put in place.
“[A] robust identity and privileged access management strategy needs to be woven into the organization’s cloud data protection strategy.”
One way companies have upped their game on identity and access is by adopting a zero-trust model, which restricts access to data, resources, and services to an as-needed basis, said Tim Erlin, vice president of product management and strategy at Tripwire, a cybersecurity threat detection and prevention company.
“Cloud and zero trust are good partners. If you can adopt a zero-trust approach as you move or build services in the cloud, you ultimately save yourself time and money around risk reduction.”
Casey Kraus, president of Senserva, a maker of a serverless cloud security platform, explained that security starts with the user. Kraus noted the numerous recent breaches that targeted misconfigured user accounts.
“Identifying these accounts and determining how to identify these high-risk users and possible shadow admins significantly reduces the attack surface of an organization. Using tools that cloud providers offer such as MFA, PIM/PAM, and other security licensing can help enforce zero trust.”
Cloud providers are also offering specific identity management platform capabilities integrated into their environments, as well as machine-language-based analysis to help users understand who has access to which parts of their infrastructure and make recommendations on where permissions should be rolled back.
4. Organizational interest in SASE is growing
Secure Access Service Edge is a framework for enabling fast and secure cloud adoption and for ensuring that users and devices have access to applications, data, and services anywhere and at any time. Interest in the technology has been goosed by the pandemic, which has forced an enormous number of people to work from home.
“SASE is the next-generation VPN. It brings together a lot of the access pieces that VPN did with a lot of the cloud capabilities of CASB. Whether a user needs to access an Office 365 app or Salesforce.com or an inventory application in the enterprise data center, they only have to go through one client and one authentication mechanism to get there.”
It’s also easier to scale a cloud service such as SASE than it is a VPN gateway, said Ermetic Chief Marketing Officer Amy Ariel. “For people working from home, it makes a lot of sense to deliver security from a point of presence that’s nearer to where they’re working rather than a data center at corporate headquarters,” she said.
Ariel added that SASE is more efficient and faster than alternative technologies.
“It’s faster because, instead of going over a VPN to the enterprise to be secured and be returned to the user, it’s being done closer to the user. It’s better for the company, too, because with a cloud service, you can have a single policy in the cloud and not manage appliances at every location maintained by the company.”
5. Cloud-based security continues to thrive
The benefits of cloud-based security continues to attract companies to the technology. It combines the economies of scale and reduced costs of the cloud with better protection, greater threat intelligence, and quicker compliance with government and industry rules, regulations, and standards.
Securing cloud environments requires different approaches and technologies than traditional on-premises infrastructure, and software vendors are building cloud-based security platforms or extending their existing SaaS offerings to address growing cloud security needs, said Red Canary’s McReynolds.
Organizations are also attracted to the quality of security tools in cloud-based platforms, said Miles Ward, CTO of SADA Systems, a provider of business and technology consulting services.
“We’re seeing new tools that were built with the cloud in mind by technologists who understand what’s possible in the cloud. They’re super-competitive. They cost less. They’re faster. And they can handle a lot more data.”
No stopping SaaS
The SaaS market is huge, and CASBs and Cloud Data Protection Gateways (CDPGs) are easing some pain points, but they don’t address cloud data security issues with cloud technologies such as Infrastructure as a Service (IaaS), Database as a Service (DBaaS), data warehouse services, and Platform as a Servie (PaaS).
“Enterprises require robust hybrid, multi-cloud or cloud-agnostic solutions that are built for the cloud to support a seamless, secure cloud migration of their workloads and yet consume the best-of-the- breed services that the cloud providers are offering.”
The growing use of SaaS applications generally is also contributing to the popularity of cloud-based security approaches. SaaS-focused security platforms are growing in popularity due to the complexity presented by the vast SaaS application landscape, said Brendan O’Connor, CEO and co-founder of AppOmni, a cloud security posture management provider.
“Given the multitude of SaaS apps that companies are now using to run their business, security teams are looking for ways to get more visibility, management, and enforcement capabilities across a broad portfolio of SaaS technologies. At scale, doing this independently and on an app by app basis would be complex and very onerous.”
CipherCloud’s Kothari added that organizations typically subscribe to more than 100 cloud applications. “Information security teams are realizing that it is not humanly possible to learn and effectively manage the fine-grained security controls available in each cloud and orchestrate usage or data security policies manually,” he explained.
“Security-as-a-service provided by cloud-based platforms is recognized as the best solution to this challenge.”