“Cloud” is one of the most over used and least understood words in technology these days, so it’s little surprise that there’s so much confusion about its security. Popular ideas, right or wrong, can gain traction and become accepted truths, so to provide a little clarity we set out to test some of these theories, just like the popular show “Myth Busters,” here in the San Francisco Bay Area.
The following are five myths of cloud security we busted, extrapolated from the study by the Ponemon Institute on cloud security, available at http://www.dome9.com/resources/ponemon-cloud-security-study.
Myth #1) My provider has my security covered
Thirty-nine percent of IT security professionals think their provider will let them know if/when their cloud server is hacked. We call these folks wishful thinkers. In fact, most providers have SLAs and monitor only for issues involving infrastructure availability, not server security. Providers are responsible for the infrastructure, not how you use it. As an example, think about your car – the manufacturer builds a safe and dependable vehicle, but it’s up to you to drive it defensively and follow the safety rules of the road. The same is true in the cloud.
Myth #2) What I did then for security, works now in the cloud
If you think what you’ve done for years in your network can be replicated in the cloud…think again. Remember that you don’t own the infrastructure and you can’t just walk down the hall to resolve a problem. Forty-two percent of IT Security personnel admit that they wouldn’t know if their cloud server was hacked, and only 9% rate their cloud security as “excellent.” The cloud is much more elastic than traditional IT, and if your security doesn’t scale as rapidly and efficiently, your cloud will outpace your security, and you will be in a world of trouble. Fundamentally, as you re-architect you infrastructure for the cloud, you need to think about how you re-architect your security to match it.
Myth #3) We don’t use the cloud
Ask an IT security guy if his company is using cloud computing and he’s likely to say no, or only SaaS (software as-a-service) for CRM and a few other services. But more likely than not, that’s not exactly the case. Most cloud adoption is happening outside of IT, often without the knowledge of the IT team. Engineering, marketing, service, and support teams make up the majority of cloud adopters leveraging its power to build, service, and support customers without IT’s knowledge. So, if you’re an IT security guy, best to query those business units to understand exactly what they’re doing, because although you may not be aware of your organization’s cloud use you’re likely still responsible for its security.
Myth #4) I know exactly what I’m doing when it comes to the cloud
Um, no you don’t. But don’t feel bad – nobody really does. The cloud is new and different, and comes in so many flavors that it’s virtually impossible for anyone to have an exact fix on things. But start with the basic lines of defense like firewalling, encryption, and malware protection, and rethink their application. Fifty-four percent of IT security personnel say they have no knowledge of the risks from open ports on cloud servers, yet 73% agree that the cloud server firewall is the first place to stop attacks and prevent exploits. And of those who know, 61% say they have already or are very likely to have ports left open and exposed to hackers.
Myth #5) My strategic security vendors secure my cloud
No they don’t. But don’t be mad – they’re still trying to figure it out too. Most of the big security companies don’t really offer cloud security. They may offer their security “in the cloud,” but few have anything to actually secure the cloud. Cloud computing and SaaS are a new and rapidly evolving infrastructure, and the big security dogs are technology laggards. Share your requirements with your big security vendors, but look to the littler, more nimble security companies for help now. In the end, the mainstream security vendors will hear your plight and make some strategic plays, but it’ll be a while more and frankly you just can’t wait for their corporate development and engineering teams to catch up to their marketing, or their customers’ needs.
So, there you have it. I hope debunking some of these common beliefs has not scared you off from further cloud adoption. If you are concerned about cloud security, and you sure should be, instead of worrying about which myth might be correct and which might not…go with what you know. You are responsible for your organization’s cloud security – not your cloud provider – so own it. You know you are going to need new tools and solutions – the same old, same old is not going to work in the new world of cloud. You might not know everything there is to know about the cloud, but you don’t need to at the beginning –basic defenses such as cloud server firewalls, data encryption and malware protection are a good start. Finally, look to the companies built for the cloud for help. Follow these simple truths, and ignore all the myths out there, and you’ll be on the right path.
Meizlik is a security veteran with more than a decade of experience advising some of the world’s largest enterprises, including more than half the Fortune 50. Formerly the head of product marketing and communications at Websense (NASDAQ: WBSN), he is a recognized expert in IT security, with specialization in cloud and information security. Meizlik holds bachelor’s and master’s degrees from the University of Southern California.