Given the huge breaches suffered by major companies over the past year, one could be forgiven for asking if there can ever really be a secure cloud.
The answer, according to one speaker at Structure:Europe, is no, not really. But, then again, no one really cares. “If you look at breaches at major companies like Google, LinkedIn and Sony — no real harm resulted,” said GigaOM PRO analyst Greg Ferro. “Every time Sony gets breached its share price goes up. RSA a few years ago got owned by some offshore hackers and now customers see RSA as a better provider because they got hacked,” Ferro noted.
A panel of vendor security execs didn’t necessarily agree with that contention but noted it is their job to bake better — and less painful — security into all levels of their clouds. It is no longer enough to slap a firewall up and claim victory because this battle has evolved from old-time trench warfare to a battle without front lines, said Joe Baguley, CTO of EMEA for VMware.
The bottom line is if security procedures are painful and slow down the process, people will circumvent them. Apple put fingerprint recognition on the iPhone 5S because people weren’t protecting their phones, Baguley said.
Cloud vendors are between a rock and a hard place when it comes to security because customers want to know what they’re doing to protect data and applications, but sharing too much of that impairs security.
Adrienne Hall, Microsoft’s GM of Trustworthy Computing, said there are broad “themes” that cloud providers can share with enterprise customers. Customers should be able to ask what the vendor is doing at the design phase and the deployment phase to protect cloud services.
“If the cloud provider can’t answer those questions, it’s cause for concern,” she said.
Check out the rest of our Structure:Europe 2013 coverage here, and a video embed of the session follows below:
A transcription of the video follows on the next page
Session: Mission Not So Impossible: A Truly Secure Cloud?
Greg Ferro 00:04
Thank you so much for coming, at least there’s somebody here to pay attention. This session is to talk about Mission Not So Impossible: A Truly Secure Cloud? Which we all know is truly impossible, pointless, and hopeless. There is no such thing as a secure cloud, that’s my position. In my view, IT security remains a rabble of unruly teenagers that organize security conferences that focus on picking locks, debating who’s got the finest beard or ponytail, and arguing over which martial art or fitness program is the right one for a security professional to follow. We have security professions, vendor certifications, IT security lacks serious credibility. How many jokes can we put at an IT security professional? Recently we’ve seen security becoming a process because it’s not a thing, it’s just a joke, and we’ve got a lot of security professionals calling things that had old names like “threats” have got new fancy names like “advanced persistent threats”. Exactly the same as the old ones, just with new, better names.
Greg Ferro 01:10
In the year of the cloud, customers need assurance that their cloud providers have solved the security problems, and that’s what we’re here to talk about. I want to start off with the first place, when customers approach a cloud provider, they need some assurance that the cloud provider has done something, hopefully a lot, to make their cloud more secure. I want to throw over the first question to you, Adrienne, what is it that customers can do to feel assured that cloud providers are doing stuff?
Adrienne Hall 01:41
Customers are interested in how did we actually build and architect the cloud. Did we build with security in mind? Did we take some practices from the past and move those into the cloud era? What are we doing to keep the data centers secure? And if and when the unexpected occurs, how is the company communicating and re-mediating anything that happens? Those three categories are good ones for customers and those are areas of focus for Microsoft.
Greg Ferro 02:05
What about you, Gavan? What are you thinking customers are asking about?
Gavan Egan 02:10
As customers look at the cloud, there’s two key things which they do differently today in cloud than they’ve done before. First of all, they’re putting their applications and data on architectures they haven’t designed and built themselves, so it’s an independent architecture, so how does that fit in terms of my own security posture that I want to have at the company? The second thing is they’re working with a separate legal entity, so from the legal perspective, from a compliance perspective, how does that fit into “How do I run my business?” and “How can I get these guys to react the way I need to as a business?”
Greg Ferro 02:40
People say that we go over to some other company, do we actually transfer legal risks off to the cloud provider or does that cloud provider have plausible deniability?
Gavan Egan 02:49
The cloud provider contains risk for some part of it, and it’s really important as you look and choose a cloud provider that it’s very clear what risk you own as a company and what risk the cloud provider takes on. You talk about security, it’s all about security, I agree with you. What does truly secure mean? If you can’t define what it actually means, will you ever achieve that state? The real question here is risk. As a company, when I want to put my data or applications in the cloud, what risk am I actually taking on? What does it mean to my business?
Joe Baguley 03:24
To come back out to the topic of security, and your threat analysis, I think we’ve moved from traditional warfare of the early 1900’s, with trenches to modern warfare, which doesn’t have front lines, and I think that’s what we’re looking at now in the new world of computing. Traditionally, when you wrote an application, you didn’t actually think about security, that was something someone else did afterwards, they put it in a data center. “Oh, we put a firewall on it, that’s going to be fine.” We’re learning as an industry that that’s not acceptable anymore. It’s almost like as human beings, if we’d evolved without any defensive mechanism against infection, but just a big plastic bubble and wrote “firewall” on it in crayon. That’s how we’ve built computer systems to date, so as you go forward to building computer systems and applications for the new world, it’s not enough to just have one barrier. It’s not enough to have several barriers, it’s about having security embedded in how you build the architecture, how you build the platform, how you build the application, how you do everything all the way up the stack. I would argue that security is everyone’s concern now, not just the concern of the security professionals with their qualifications in the corner.
Adrienne Hall 04:36
That’s what’s good about having choices. People can decide what they want to put in a public cloud, what they want to put in a private cloud, and make those kinds of choices. It really does come down to risk, the majority of the time. It does differ, if you’re a smaller business you might really benefit from the cloud because you don’t have IT staff, you don’t have regular updates, you might be running on technology that’s 7-10 years-plus old, for those kinds of companies, the cloud is absolutely going to be more secure.
Greg Ferro 05:02
Before we get onto risk, you mentioned risk, and the flip side of this is that in the last 10 years we’ve seen any number of companies get breached. We’ve seen Google give away their log ins, we’ve seen LinkedIn give away multi-multi-millions worth, we’ve seen Sony get breached 96 different times, how much business did they actually lose? Sony’s share price actually rose after every single breach because they got exposure. By that measurement, Sony should go out and get hacked every week. They should spend less on security, so they could increase their share price, would be the natural extension. If you look at companies like RSA, RSA a few years ago got utterly owned by some offshore provider. Their whole two-factor authentication code was stolen, they only disclosed this once it was actually released into a public forum, and today customers now perceive RSA as one of the better security providers because they’ve got hacked. Not because they have better products, but because they got hacked. Hila, you’ve talked about this earlier, do you think risk models are actually possible? Is it able to do something in this place?
Hila Meller 06:09
I would like to go back to the previous question that you asked because all the points that were mentioned here were great, but there’s one specific aspect that is now extremely hard. We have a lot of discussions around it with customers, and it’s about privileged users, system administrators that work on the side of cloud service as providers. Look at the Snowden case, it’s all over the news. It’s a system administrator that had full access to several systems. Look at the world of cloud services providers, you don’t know who these people are, and they have full access to all the information about you, they can do things, maybe even on your behalf, because of that unlimited access. It becomes a hot topic. It’s related to insider-threat, people like your system admins that work for you, but may do something wrong or bad, just like that Snowden case. But it’s also related to what you mentioned earlier, the APP’s, the advanced persistent threat, because at the end of the day when you look at all of the hackers, and all of the bad people outside the organization that want to enter and do something, what they would like to put their hands on are your privileged accounts. It’s the root account, it’s the system admin accounts, that they would like to have control of and then create some serious damage.
Greg Ferro 07:32
Those are the risks, but how do we mitigate those? How do we measure those and carry those forward to the execs?
Hila Meller 07:36
Exactly, take it to the world of visualization, and the world of cloud providers and it becomes such an extreme threat, something that you would like to control. It’s all over the news right now, and we see a growing interest coming from customers, especially cloud services providers, about it because this is the way to differentiate. This is the way to go to the market and say, “We are the secure option for you.”
Greg Ferro 08:01
Cloud security providers aren’t doing anything new about security that wasn’t being done yesterday. Adrienne, what’s Microsoft doing that’s new about security? You’ve got part of the Trustworthy Computing Initiative.
Adrienne Hall 08:12
Fundamentally, there’s a whole bunch of crime issue, you mentioned some of the breaches going on, and what we’re doing is we’re looking at the kinds of threats that are happening in a cloud era versus a packaged product, or client server environment. Some of them are around access points, some of the things you’re saying has data classified, we’re talking to customers a lot about how they’re defining that their high value assets are inside of the organization, which, if you’ve got your own contained network, and you’re not deciding where to place something in another location, you might not have had to classify data in quite as rigorous a way. People do need to take a close look at admin privileges in a different way, what they decide to place in the cloud, and how they rely on the cloud vendor to stay current with some of those threat trends. I know you don’t think the hackers are credible, but–
Greg Ferro 09:04
I think hackers are credible, but I think security professionals are a joke because they’ve done very little to deliver useful– If security professionals were doing it right, these organizations, “Super Companies”, who should have unlimited funds to apply security, LinkedIn, Google, Facebook, they’d have serious security, and we wouldn’t be seeing the vulnerabilities. Our operating system vendors are delivering patches of 30 a month to the operating systems on a regular basis because they can’t get security into their operating systems. Security professionals aren’t delivering on the commitments that they make.
Hila Meller 09:39
We were talking about it earlier, it’s not that the risk models are not working, it’s about the way that security offers often communicate it to their executive management. Traditionally, security officers were technical guys that used to configure firewalls, and now comes a quest for more business-oriented security officers that can handle a discussion with a CEO, that can handle a discussion with a board and talk to them about risk, but using business language. Explaining why, if you don’t upgrade your firewall, there will be extreme damage to the business, and be able to translate it into business language.
Greg Ferro 10:17
I’m not sure I subscribe to that, because that’s like asking the bouncer at the front of the nightclub to run the bar. There’s two different things here, security professionals are designed to keep people out, and to beat them over the head and escort them off the premises, are they the right people to tally up the money and run the–
Joe Baguley 10:32
That’s part of the problem that we’ve got in the industry. We all use security of varying forms on our devices, and if it’s in any way inconvenient to how we do our daily job, we somehow find a way to do it the least painful way possible. Apple has just brought out fingerprints because half the people using iPhones weren’t locking their iPhones because it was too much hassle to type a code in. It was only when corporate would push that policy down that they were forced to do that. Traditionally, as a security professional, you’re tended to see it as an over-concerned bully who is waving his hands and being scary towards the business and comes up with ways in which they’re going to impede your workforce in doing their daily job. What we’re going to do is we’re going to slow down your log on times by making you have to use this funny key ring with a code on it. I know you can access all your data really easily on your iPhone, but we’re going to make sure we put a load of security crap on it to try and make it really slow and horrible. We’re going to make sure you have to use a VPN so you can use our internal phone system. You almost need to switch the visibility of security and the perception of security within organizations as being something that provides value to the organization. IT needs to somehow find a way of being a value provider to the business and proving that as an organization, they can differentiate themselves from their competitors because of security.
Greg Ferro 11:58
To differentiation, one of the big things in the cloud is cloud certification, or security certification. If you’re a cloud provider, you’ve probably got a ball attached to your leg, it’s a big one, a big black one like they have on the cartoons that says, “4 kg” and it’s called ISO 27001, except it’s actually hollow because it’s pointless. Last time I did an ISO 27001 engagement, I ended up winding my security back from nine to about a six to get compliant. But customers are asking for these certifications, they want these types of things and the cloud provider can hold it up and it’s like a get out of jail free card, “Look, I’ve got an ISO 27001 certificate, I don’t need to tell you about my security. I’m free.” What do we do about that? What about certifications, do customers believe that it’s actually a thing?
Gavan Egan 12:39
I think so. We’ve all got to understand that certifications are a baseline. They are a common standard. We can trust them, we can look at them, but we have to understand that in the context the risk that we as individual companies face. That’s really important. ISO doesn’t mean to one company, doesn’t mean the same for another company, so that’s quite important. It does come back to a point you made earlier on, in the cloud business, we see companies getting much more mature about security in cloud. In terms of Verizon’s business, over 60% of the applications we run are mission-critical web facing applications. That’s a big batch load from a company to put stuff in the cloud. We issue this thing called a data breach report every year. We investigate, along with the findings of other organizations, 47,000 security instances, 621 actually confirm security breaches. None of them knew the concept of vitalization. The cloud today is pretty good, but what’s really important, is it good enough for you as a business? That’s really back to the risk conversation that we talked about earlier.
Adrienne Hall 13:52
The baseline point is whether it’s the fundamental layer, or whether it’s some of the industry-specific certifications, if that helps reassure people that we’re taking all the necessary steps, that’s a good thing. I also like services like the Cloud Security Alliance, where they’ve got a cloud-control matrix that you can look at and decide how you’re going to enter in the certs that you’ve achieved, and then customers can take a look at how vendors are doing, achieving those certs. I think it’s a great way to get a level of objectivity to the whole cert debate.
Joe Baguley 14:22
We have to look at those kinds of certifications like the MOT you get for your car. This is the test that says it’s allowed to drive on the road. It doesn’t mean it’s the best car and it’s going to be amazing, but it’s passed that baseline. Or the license to drive. You’ve got a license to drive, but the first day you learn to drive, you pass that test, we know it’s not a good day.
Greg Ferro 14:47
You say, “We’ve got a certificate,” but my CEO will say, “Look, I get an insurance certificate, I’m insured.” Why do I have to take that as a baseline and then have to decide what I need to do that’s extra? The reality is, when you get that certificate, that’s the thing that matters. Once I’ve got my insurance, I don’t actually need to think about what extra insurance I need. That’s a business thing.
Joe Baguley 15:11
It’s more about what you think you need for your business. You get the insurance, the base liability insurance you need to do a job, but maybe in your particular role you decided you need additional insurances based on your business activity. It’s the same as security. Yes, you’ve got your ISO 27001, but you might need to go beyond that.
Gavan Egan 15:25
It’s back to the point Hila made earlier on, are security professionals doing a good enough job at communicating the risks up to their CEO’s so they can actually understand it? So they don’t accept it at baseline, ISO, whatever certification has been the certification that’s good enough for my business.
Greg Ferro 15:43
I disagree with that, too, because I don’t think CEO’s understand enough about security to actually understand what they’re being told.
Gavan Egan 15:49
They don’t understand enough about security, but they understand a lot about reputation and about return, and security, you can really damage your reputation.
Joe Baguley 15:57
It’s a risk-thing. One of the things that’s often cited in this whole “bring your own device debate”, the CEO walks in and goes, “I want to access our CRM system on my iPhone,” or Windows mobile device, in case you remember them, he’s saying, “I want to access my CRM system on this device” and you go, “I can’t because it’s not secure enough” his answer nowadays is, “Hang on a second, but my bank gives me an application that means I can access my banking stuff on here, so why can’t I access our CRM system?” You then have to explain to him about the risk and liability assessment the bank’s gone through and acceptable amount of loss and the other kinds of things they’ve been through, but as far as he’s concerned as a consumer in the world, why can’t we do that? As a security professional, you’ve got to explain why you can’t do that.
Hila Meller 16:50
It all goes back to the discussion of how security is now transforming to become a business-enablement role instead of the guy that says, “no” to everything, and with authentications, if you communicate it in the right way to the outside market, you might win new customers because you’re the secured selection.
Greg Ferro 17:12
I want to move on to the next topic, which is the lack of transparency around the cloud. For customers who are approaching cloud providers, and starting the process of engaging and transferring, you might want to say, “I need to have some visibility into the system itself. What is your security process?” Most cloud providers will tell you, “We can’t tell you, it’s a secret.” That classic security line. “We could tell you what’s going on, but it’s a secret. You can’t know.”
Adrienne Hall 17:36
You’ve had some bad experiences.
Joe Baguley 17:38
Yeah, someone’s been nasty to you, obviously.
Greg Ferro 17:45
I’d like to think I bring out the best in me.
Joe Baguley 17:46
The short answer to that is, if I tell you and share with you, as one customer, my entire security road-map planning, et cetera as you ask, then surely I’m increasing my attack surface by telling you that, and my other customers would be quite upset because I’ve not shared how I’m doing security with you. I understand you maybe want to know that, this is where it comes down to the fundamental again, trust. It’s all about trust, and you can’t be that transparent in everything you do.
Adrienne Hall 18:20
For individual customer configurations, totally true. I do think there are themes across all the cloud offerings that people are looking at. The customer should count on cloud providers working very hard to try to get this right, because this is super critical to any of these services being successful. It’s themes like, “What are you doing at the design phase?” “What are you doing at the deployment phase?” “How are you supporting it afterwards?” “How are you coming back around and updating?” I think all those themes are things that all of us have done and are doing that run across the cloud services and people can expect that from their cloud provider. If they can’t answer those questions, then that’s a cause for concern.
Hila Meller 18:58
There’s also a clear difference between enterprise customers and consumers and the amount of transparency that you would get from your cloud provider. We just launched a cloud service that is hosted here in New York. The data center is open, you can go there, have a tour, and see how security– When you deal with enterprises, the level of transparency goes higher and you share more information. It’s about buying power, at the end of the day.
Greg Ferro 19:29
I was talking to a company recently, I think it was Telex, I think Joe might be here, and Telex was telling me they’ve actually got video systems and they actually watch people walking from camera to camera and if they’re there for more than three seconds, then they say they’re loitering and they send somebody to find out what they’re doing.
Adrienne Hall 19:45
All the physical security learnings of the past are transferring to the data center, and I think that that’s something that you’d expect around network access, physical security access, who has keys to which servers?
Joe Baguley 19:58
What you’re also seeing is the fact that law is having to catch up with this and the security stands are going to have to catch up with this, because we’re still hung up with the physical allied to secure. And with regards to data, it doesn’t necessarily mean that. If I’ve encrypted it and split it across 15 different data centers, where it’s physically located is no longer relevant. Who has access to the data is what’s important. Whilst we sit here with security regulations are standards based around the physical location and security of your data center, when the fact is that if someone did break into your data center and pull a hard drive out, all they’ve got is a bunch of random true encrypted whatever, there’s no real use to them, supposedly. We need more focus on the identity management, which really hasn’t been solved in the cloud yet, we need more focus on access control and how people literally access data and secured data, not how they physically store it and do things. We need, as an industry, to start focusing more on that, but because the regulations are still held in the past of physicality, it’s not driving the industry to make changes and advances in that.
Hila Meller 21:04
I completely agree about managing identities, managing access in the cloud, in what we call standard enterprise. The enterprise today is no longer legacy-based landscape, you see mobile devices, you see cloud applications, it’s completely extended, and identity becomes the new perimeter in a way. Most of your security controls and your way to enable the enterprises about your ability to identify the identities, authenticate them, and provide them the right access to these different fragments of information that are out there in different places.
Joe Baguley 21:38
To your compliance point, as cloud providers want to provide more and more service to enterprises who take on risk on behalf of their customers, transparency is absolutely key. They have to be able to be audited against the standards that their customers require, not just protect their standards, but against the standards that customers require. That’s a key thing to look for in a provider.
Adrienne Hall 22:02
I think most of us are doing third-party audits that we make available to customers when requested, whether it’s British Standards Institute, [inaudible], any of those that Microsoft uses.
Greg Ferro 22:12
I’m taking your point about the briefings and discussions, you could actually pick one person from a customer, the security officers should be briefed, and should have some visibility. That’s rational. Not talking about briefing the entire IT team at the enterprise, but it does come back to the key-man dependency, so the Snowden debate did show us that a key-man dependency creates an issue where system administrators have God-like access and they can do whatever they like with the system.
Joe Baguley 22:40
There was one who held, I think it was the city of San Francisco, ransom about three or four years ago because the network admin got fired and he just took the passwords for all the routers with him.
Greg Ferro 22:48
There’s a really great story behind that, and the guy himself is one piece of work. I’d like to thank my panelists for joining me today. I’m sorry I didn’t have time to take questions from the audience, but feel free to catch any of us in the corridors outside after the session, and thank you very much for listening.
Adrienne Hall 23:03
Joe Baguley 23:04