Last week, I once again had the pleasure and privilege of attending the RSA Conference in San Francisco. I heard estimates of a record breaking 40,000 attendees. It didn’t seem much busier than previous years but as another participant pointed out to me, that might be because it was better organized, with pre-registration for the sessions, this year. This year I focused my sessions on the Cloud.
The Cloud Security Alliance (CSA) held an all-day seminar on the first day of the conference (WinMagic is a member of CSA and a sponsor of the event). The Cloud is a very fast growing and dynamic area of computing and I got the sense that 2017 is a tipping point of sorts. According to at least one survey, for the first time more IT people think the Cloud is more secure than on-premise computing. Another survey indicated that IT spending in the Cloud would match on-premise spending, again, for the first time. Of course there are still significant security concerns utilizing the Cloud, but I view cloud security as an enabler, not something that slows down adoption, but something that actually speeds it up. When there are good solutions to ensure enterprises can benefit from the Cloud, yet contain and manage their risk, then they can accelerate their migration to the Cloud. Despite all the controls cloud providers have made available, the shared security model still applies. In the end, enterprises are responsible for the security, privacy and compliance of their data, wherever it is. There is no transference of risk to the cloud security provider in this respect, only mitigation. Therefore, enterprises need to play their part to secure their data.
My colleagues and I picked up on a few security-related threads that were woven into the CSA presentations and continued to reappear in the Cloud-oriented sessions throughout the week:
- Identity is the new perimeter
- The perimeter is dead, at least the one fortified by firewalls, was the message of past RSA conferences. This year I started hearing that the identity is the new perimeter. Multi-factor authentication is the minimum must when accessing cloud resources, and least privilege contains the damage any one breach can cause.
- Don’t get caught in the Danger Zone – too much access, with too many privileges.
- In fact, Access Control has become the new Network Control, if you will.
- The Internet is the new corporate network
- The logical conclusion – when more and more users work from home or the road, and more and more of the enterprise services they access are in the cloud, the corporate network shrinks. It no longer makes sense for remote users to VPN into the corporate network whose only purpose is becoming a jumping off point to access resources in the cloud.
- Automate or Die
- This was the name of a SANs Session on Cloud Security. The instructor did start out by clarifying that if you did not automate your security you wouldn’t actually die, but it is still a good idea anyway. A great deal of the benefits of scalability and agility of the cloud come through automation. The security processes need to be automated too to keep up.
- Shift Left
- If you think of DevOps moving from inception to design, to coding to testing to deployment as a process that moves move left to right then shift your security engagement left. Don’t find yourself recalling an insecure app from the field rather think about security early and often. Catch the problems at design time. e. shift left
- Data Governance is no longer simply a nice-to-have
- With data security regulation increasing worldwide, and in particular, EU-GDPR coming into force in just over a year, it’s time to get a handle on your data. Put the tools in place now to protect it, control access to it, and report and audit on those protections.
To sum up, any organization that is about to enter the cloud, or are already there and looking to secure their workloads and assets need to consider three things: Firstly, the Cloud still operates in a shared security model. That means enterprises are ultimately responsible for the security, privacy and compliance of their data. Don’t expect someone else to manage your keys and data security. Secondly, you need better control over who accesses your data, and the process by which they go through to authenticate. Automate the processes using the best tools available. And third, don’t operate your cloud security in a bubble. It needs to be part of a larger enterprise-wide initiative.