Public Cloud Can Make Security Easier And More Powerful, Experts Say, But Visibility, Ownership Challenges Persist
Solution providers and customers alike need to do less to secure the public cloud since so much of the functionality is delivered by the leading cloud providers, according to cloud security experts.
But that doesn't mean securing Infrastructure-as-a-Service is without its challenges, according to several CEOs, sales leaders or technical experts focused on cloud security. Everything from gaining visibility into where sensitive data resides to ensuring customers hold up their end of the shared security responsibility model poses a potential pitfall in the public cloud, experts said.
On the positive front, IaaS providers such as Amazon, Google and Microsoft offer free tools and APIs that replicate the functionality provided by traditional tools such as a network firewall, according to Ryan Kalember, senior vice president of cybersecurity strategy at Sunnyvale, Calif.-based Proofpoint.
[Related: 8 Cloud Security Execs Reveal The Startups They're Most Excited About]
The public cloud is almost constantly refreshing the OSes and hardware in use, relying on the latest and most advanced security technology, said Gunter Ollmann, CTO, security, cloud and artificial intelligence, for Redmond, Wash.-based Microsoft. As a result, Ollmann said businesses can have things done by default that they've wanted to do for many years without having to worry about harming legacy applications or systems.
The public cloud typically requires a micro-services approach, ensuring that individual applications are secure as a stand-alone element rather than solely worrying about the application stack as a whole, said Daniel Spurling, director of cloud and transformation at Seattle-based Slalom Consulting, No. 37 on the 2018 CRN Solution Provider 500.
Security for on-premises infrastructure or private spaces, though, oftentimes still takes place more at the border or outer-ring level, with a "soft, chewy middle" remaining on the inside, according to Spurling. It continues to be difficult for a marketing or salesperson to expose data externally when that's necessary for business purposes if the information resides on public or on-premises infrastructure, Spurling said.
When applications were running in the data center, businesses knew the databases and OSes, controlled the physical hardware machines they were running on, understood what data was there and were able to scan the data, said Brian Roddy, vice president of cloud security for San Jose, Calif.-based Cisco Systems. But in the event of a breach, Roddy said it meant that all of that data could be compromised.
"You've centralized your application control, but you've also centralized your risk," Roddy said.
Conversely, Roddy said organizations are giving up control when they shift to a SaaS model, Roddy said, with applications such as Salesforce, ServiceNow and Marketo each providing a different set of policies or controls around data. Although Roddy said this makes it more difficult for businesses to manage those applications and maintain consistent policies, there are positives as well.
"If any one of those systems is breached, youvre decentralized your risk," Roddy said. "You've moved that to a bunch of different companies."
As recently as 18 months ago, the public cloud was primarily being used for dev/test or simple application-based workloads, meaning that businesses were comfortable depending on security offered by the cloud providers themselves, according to Dean Darwin, senior vice president of sales and channel strategy for Santa Clara, Calif.-based Palo Alto Networks.
But today's customers have moved way past dev/test and are now running enterprise-class apps in the public cloud, Darwin said, as well as retiring, rearchitecting and rebuilding new apps with customer data, financial data, or HIPAA data. As a result, Darwin said businesses are looking to truly extend their on-premises security policies into the cloud with enterprise-class offerings.
Underneath the hypervisor, Darwin said Amazon Web Services, Microsoft Azure and Google Cloud Platform are responsible for everything and deliver a more secure experience at the plumbing level than businesses could in their own data center since the public cloud players rely on a closed, API-centric, cloud-based system. But above the hypervisor, Darwin said businesses are responsible for their own protection in accordance with the shared security model.
"It's the same attack surface, and you're responsible for it, not the cloud providers," Darwin said.
Private cloud is rather fragmented in a typical IT environment, with businesses often struggling to get their databases, OS, infrastructure and security to work together within a single framework, according to Shawn Keve, executive vice president of sales and marketing at Atlanta-based Simeio Solutions, No. 369 on the 2018 CRN Solution Provider 500.
An organization's own infrastructure isn't going to come with all of the security and governance controls needed to run a tight ship from a security standpoint, Keve said. Specifically, Keve said companies struggle to provide a single-pane-of-glass environment to orchestrate controls across infrastructure and applications.
Keve said many companies used to generate their own power to run their business, even though that's unheard of today. Similarly, Keve believes that it will be unheard of in the future for companies to build up and deploy their own infrastructure.
In time, Keve said public infrastructure will be more comprehensive and capable from a security standpoint than what most businesses can do with their own resources.
Going forward, organizations want to be able to move workloads to the most simple or cost-effective environment at a moment's notice, according to Michael Fey, president and COO of Mountain View, Calif.-based Symantec.
Maintaining the ability to move workloads across public clouds is the only way organizations can avoid ending up marooned inside a single public cloud provider that ruins their cost structure, Fey said. The best companies therefore build compute that functions on Amazon, Google and Microsoft so that they're strategically capable of running on all three platforms, according to Fey.
If, for instance, a solution only works on Amazon, Fey said the company becomes locked in and has limited its capability to embrace the next generation of cloud computing.
"Organizations are having to build for all three," Fey said. "It's all of them."