Let's build security into the fabric of the cloud

Today enterprises, in addition to buying hardware and software to build their computing environments, also carry the burden of securing them. To achieve this, security vendors provide them with a patchwork of security solutions that poorly...


Today enterprises, in addition to buying hardware and software to build their computing environments, also carry the burden of securing them.

To achieve this, security vendors provide them with a patchwork of security solutions that poorly integrate together and are difficult and costly to deploy and maintain. They also rely on infrastructure and application vendors to provide patches to remediate vulnerabilities found in the wild.

Now, with the ever increasing need to connect directly and digitally with customers and suppliers and the rapid pace of technical innovation, the task of maintaining the security and compliance posture of one's network has become a daunting - even one could say impossible task.

This fact was foreseen by the Jericho Forum, which sounded an alarm five years ago with their "de-perimetrisation" manifesto (perimeter erosion).

This concept pointed out that with increased business collaboration and commerce through the Internet, traditional approaches to securing a network boundary are no longer effective because it is increasingly difficult to distinguish between a company's network and third-party networks. It also pointed out that security strategies and technologies must address these challenges by protecting the information itself, rather than working to secure the network and the IT infrastructure.

As IT budgets are being squeezed and as attracting and retaining security specialists is becoming more and more difficult, few companies have the means of ensuring an appropriate level of security and compliance. This is very apparent with the barrage of security breach disclosures published in today’s new even at leading companies with security measures in place.

Now enters Cloud computing, which combined with the commoditisation of the desktop (with devices including iPhones, iPads, Android devices, etc.), are turning security on its head.

With need to reduce costs while increasing the ability to communicate evermore digitally, corporations are taking advantage of virtualisation and better bandwidth capabilities to simplify and consolidate their computing infrastructures by moving their data and applications into private and/or public clouds.

They are transitioning desktop users to thin client computing, where users can have global access and share the data they need to conduct their business via thin client and mobile devices across the Internet.

At the same time, malware has taken on an unprecedented scale, as organised crime has been able to leverage the Internet far quicker than the traditional security vendors can deliver the appropriate counter measures. It is a well-known fact that antivirus solutions are, for example, unable to cope with the malware deluge coming at us.

This movement to the Cloud has profound implications for security.

There has been much publicity around sophisticated attacks pointing to foreign intelligence making us believe that we cannot do much about it. In fact the majority of these high profile attacks can be traced to the exploitation of vulnerabilities that could have been easily eliminated or mitigated.

Hacking into computer systems is certainly not new, and is typically the result of social engineering or identifying holes in the systems and their protection. What has changed is the complexity and scale of the computing environment we need to protect.

As an example, a much-publicised issue last year was the theft of credit card data. Today we see the underground market value of stolen credit card information drastically going down, and cybercrime is moving to more lucrative grounds such as bank account information and health care records.

This is because the Payment Card Industry (PCI) requirements along with better fraud detection systems have made cybercriminals less interested, except in some specific locations, in going after credit card data; as we all know, lower demand always correlates with lower prices.

Still, the easiest way for cybercriminals to steal valuable data is to enter through identified or unknown vulnerabilities, and what works in their favour is the huge proliferation of devices and the many ways they interact and exchange information. This makes them exponentially more vulnerable and harder to protect.

As opposed to enterprise computing, which has become highly distributed, heterogeneous and complex to manage, cloud computing technology enables the centralisation of data and the building of a fractal infrastructure. It therefore offers a better ability to more effectively protect the data at the data level itself and streamline the patching and mitigation processes.

This allows a drastic reduction in the cost of securing such an infrastructure because costs can be distributed across thousands, and even millions, of users, and further reduced via the automation it provides.

Corporations are now beginning to realise this, and as they move to private and public clouds, they are looking for security solutions that are much more effective to deploy and to maintain than the ones they are used to. They also are looking at solutions that can easily interoperate, as one vendor cannot have a solution that does it all.

The opportunity we all have with cloud computing is to build security into the fabric of cloud computing. This will naturally result in vendors building security into cloud services as well as Internet devices and platforms (such as iPhones, Windows mobile and android based devices). Case in point - it is quite clear that the mobile phone is soon going to become the new credit card, and that security has to be built into such a device and not as an add-on that one installs.

This does not mean, however, that enterprises will not continue to have the ultimate responsibility for the security and compliance of their data and of the data of their customers, such as in the case of loss of information or the violation of compliance requirements. It means that corporations will have to establish new relationships of trust with their cloud computing vendors.

As Ronald Reagan once crisply stated, "Trust but Verify." In fact, this is not a new concept as many years ago, most large corporations have developed the means to audit their outsourcers and suppliers and calculate the risk it may present.

The difference is that such an audit process must now be more automated. The Cloud Security Alliance has emerged as a grass roots and global effort to equip corporations with the guidelines and best practices to conduct such security audits.

Naturally, such a transition will not happen overnight. To stay relevant, security vendors have to retool their current offerings to adapt them to this new environment, and needless to say, this is not an easy task, and new security companies will emerge to rise to the opportunity.

In the meantime, as the entire enterprise computing industry continues its consolidation and move to the cloud at an accelerated pace, corporations will be faced with infrastructure and applications becoming obsolete and becoming very difficult to secure, while learning, to paraphrase Adrian Secombe, a founder of the Jericho Forum, "what to cloud or not to cloud."

The bottom line: It is going to be harder before it gets better. Yet we can start to see the light at the end of this quite dark tunnel at the dawn of this new computing era.

Posted by Philippe Courtot - Chairman and CEO of Qualys

"Recommended For You"

Jericho Forum helps secure cloud computing environments RSA Conference 2011 roundup: GRC in the cloud, mobile...