Building security into the cloud

Today's enterprises, in addition to buying hardware and software to build their computing environments, also carry the burden of securing them. Security vendors provide them with a patchwork of security solutions that integrate poorly, and are...

Share

Today's enterprises, in addition to buying hardware and software to build their computing environments, also carry the burden of securing them. Security vendors provide them with a patchwork of security solutions that integrate poorly, and are difficult and costly to deploy and maintain. They also rely on infrastructure and application vendors to provide patches to remediate vulnerabilities found in the wild.

Now, with the ever increasing need to connect directly and digitally with customers and suppliers and the rapid pace of technical innovation, the task of maintaining the security and compliance posture of one's network has become a daunting, one could even say impossible, task.

This fact was foreseen by the Jericho Forum, which sounded an alarm five years ago with their "de-perimetrisation" manifesto. This pointed out that with increased business collaboration and commerce through the Internet, traditional approaches to securing a network boundary are no longer effective, because it is increasingly difficult to distinguish between a company's network and third party networks.

It also pointed out that security strategies and technologies must address these challenges by protecting the information itself, rather than working to secure the network and technical infrastructure.

As budgets get squeezed, and as attracting and retaining security specialists is becoming more and more difficult, few companies have the means of ensuring an appropriate level of security and compliance. This is becoming apparent with the barrage of security breach disclosures published in today’s news, even at leading companies with security measures in place.

Here's where cloud computing comes in. When combined with the commoditisation of the desktop (with devices including iPhones, iPads, Android devices, etc.), the security landscape is rapidly being turned on its head.

The need to reduce costs, while increasing digital communication capabilities, is driving corporations to take advantage of virtualisation and better bandwidth capabilities to move their data and applications into private and/or public clouds. They are transitioning desktop users to thin client computing, where users can have global access and share the data they need to conduct their business via commodity desktop and mobile devices across the Internet.

At the same time, malware has taken off to an unprecedented scale, as organised crime has been able to leverage the Internet far quicker than the traditional security vendors can deliver the appropriate counter-measures. It is a well established fact that antivirus solutions are, for example, unable to cope with the evolving malware threat coming at us.

This movement to the cloud is an entrenched trend, and one that has profound implications for security.

There has been much publicity around sophisticated attacks pointing to foreign intelligence agencies, leading business decision makers to believe that not much can be done to secure themselves.

In fact, the majority of these high profile attacks can be traced to the exploitation of vulnerabilities that could have been easily eliminated or mitigated. Hacking into computer systems is certainly not new, and is typically the result of social engineering or identifying holes in systems and their protection. What has changed is the complexity and scale of the computing environment that needs protection.

As an example, a much publicised issue last year was the theft of credit card data. Today we see the underground market value of stolen credit card information dipping drastically, and cybercrime is moving to more lucrative grounds such as bank account information and healthcare records. This is because the Payment Card Industry (PCI) requirements, along with better fraud detection systems, have made cybercriminals less interested in going after credit card data. As we all know, lower demand generally produces lower prices.

Still, the easiest way for cybercriminals to steal valuable data is to enter through identified or unknown vulnerabilities, and what works in their favour is the huge proliferation of devices and the many ways they interact and exchange information. This makes them exponentially more vulnerable, and harder to protect.

As opposed to enterprise computing, which has become highly distributed, heterogeneous and complex to manage, cloud computing technology enables the centralisation of data and the building of a fractal infrastructure. It offers expanded ability to more effectively protect data at a basic level, and streamline the patching and mitigation processes.

This allows a drastic reduction in the cost of securing your infrastructure, because resources can be distributed across thousands, and even millions, of users, and further reduced via automation.

Corporations are now beginning to realise this, and as they move to private and public clouds, they are looking for security solutions that are more effective to deploy and to maintain in this atmosphere than the ones they are used to. They also are looking at solutions that can easily interoperate, as one vendor is unlikely to have a solution that covers all their needs.

The opportunity we all have with cloud computing is to build security into the fabric of cloud computing. This may result in vendors building security into cloud services as well as Internet devices and platforms (such as iPhones, Windows mobile and android based devices). Case in point - it is quite clear that the mobile phone is soon going to become the new credit card, and that security has to be built into such a device and not as an add-on that the user is responsible for installing.

This does not mean, however, that enterprises will not continue to have the ultimate responsibility for the security and compliance of both their own information, and any customer data, such as in the case of loss of information or the violation of compliance requirements.

It means that corporations will have to establish new relationships of trust with their cloud computing vendors. As Ronald Reagan once crisply stated, "Trust, but verify." In fact, this is not a new concept as most large organisations developed the means to audit their outsourcers and suppliers years ago, and already calculate the risks they may present.

The difference is that such an audit process can now be more automated. The Cloud Security Alliance has emerged as a grassroots global effort to equip corporations with the guidelines and best practices to conduct cloud security audits.

Naturally, such a transition will not happen overnight. To stay relevant, security vendors have to retool their current offerings to adapt them to this new environment, and needless to say, this is not an easy task, and new security companies will emerge to rise to the opportunity.

In the meantime, as the entire enterprise computing industry continues its consolidation and move to the cloud at an accelerated pace, corporations will be faced with infrastructure and applications becoming obsolete and becoming very difficult to secure. We will need to learn, to paraphrase Adrian Secombe, a founder of the Jericho Forum, "what to cloud or not to cloud.".

The bottom line: It is going to be harder before it gets better. Yet we are beginning to see the light at the end of this dark tunnel at the dawn of this new computing era.

Posted by Philippe Courtot.

Philippe Courtot is CEO and chairman of Qualys. Before joining Qualys, Philippe was the Chairman and CEO of Signio, an electronic payments platform that was acquired by Verisign in February 2000 and today handles 30% of electronic payment transaction in the US.

Find your next job with computerworld UK jobs