Despite the meteoric rise of cloud based applications and services, as well as its subsequent adoption by a significant number of enterprises, security still remains a major concern for many organizations. The elephant in the room is the misconception that the cloud is less secure than on-premise capabilities. Gartner eloquently describes this as “more of a trust issue than based on any reasonable analysis of actual security capabilities”.
A recent global study by BT revealed that 76% of large organizations cited security as their main concern for using cloud-based services. 49% admitted being “very” or “extremely anxious” about the security complications of these services. However according to Gartner, the reality is “most breaches continue to involve on-premises data center environments”
Where do you stand on this issue?
In this talk. we will debunk the top myths of cloud security, including:
Myth 1: We don’t really use the cloud
Myth 2: I lose control of my data when it goes to the cloud
Myth 3: Cloud is less secure than on-premise solutions
Myth 4: I’m at the mercy of cloud vendors for patching
Myth 5: Appliances provide greater control over
scalability/performance
Myth 6: Cloud security is more difficult to manage
Myth 7: Cloud resources are more exposed to attack
Myth 8: Multi-Tenant Clouds Expose Privacy Concerns
Myth 9: Cloud vendors lack transparency
Myth 9: Cloud vendors lack transparency
Myth 10: Appliances are more reliable than the cloud
2. Cloud – Why all the Misunderstanding?
"Cloud computing, by its very nature, is uniquely vulnerable to the
risks of myths. It is all about capabilities delivered as a service,
with a clear boundary between the provider of the service and
the consumer. From a consumer perspective, 'in the cloud' means
where the magic happens, where the implementation details are
supposed to be hidden. So it should be no surprise that such an
environment is rife with myths and misunderstandings."
- David Mitchell Smith, VP and Gartner Fellow
1
3. Myth 1: We don’t really use the cloud
• Shadow IT is an unstoppable force for
most enterprises
• Visibility is a challenge, much less
control
• Consumerization of IT has pushed
personal cloud apps to the enterprise
• Traditional enterprise apps are moving
to the cloud (Office365)
• Saying ‘no’ is no longer viable. IT must
shift from ‘Block or Allow’ to ‘‘Manage
and Monitor’.
• Learn from your network data to better
understand employee behavior and
work to implement solutions that
maintain productivity by permitting the
use of desired resources in a manner
that doesn't expose the company to 2
4. Myth 2: I lose control of my data when it goes to the cloud
3
• Control should not be tied to
platform or location
• Data residency and retention can
and should be under enterprise
control when necessary
• Data portability should be a
requirement, as data should
remain under corporate
ownership and remain accessible
• Data storage practices must
conform to regulatory compliance
measures
• Determine the level of control
over data that is required,
regardless of solution and identify
cloud vendors that can meet your
needs
5. Myth 3: Cloud is less secure than on-premise solutions
4
• Vast majority of recent data breaches
involve data stored on local systems
• Location has little to do with security
– people, process and technology
will determine security regardless of
location
• Cloud providers benefit from
economies of scale when securing
data
• "Cloud computing is perceived as
less secure. This is more of a trust
issue than based on any
reasonable analysis of actual
security capabilities. To date, there
have been very few security
breaches in the public cloud — most
breaches continue to involve on-
6. • Software/hardware vendors must
also provide patches…but it’s
your responsibility to apply them
• Open source libraries commonly
used in security appliances
• Patching can be costly and time
consuming
• Functionality upgrades also force
patching
• Cloud vendors have incentive to
expedite patching efforts
Ghost
FREAK
POODLE
Shellshock
Heartbleed
VENOM
Myth 4: I’m at the mercy of cloud vendors for patching
7. Myth 5: Appliances provide greater control over
scalability/performance
• Appliances require planning for
anticipated demand, while the cloud
permits paying for actual consumption
• Cloud elasticity places the burden of
resource planning with the vendor
• Sudden growth (acquisitions, mergers,
etc.) does not necessitate major
architectural changes
• Appliance scalability will be impacted by
features utilized
• Appliances can only protect what they
can see
• Scaling appliances can add complexity to
the overall architecture (i.e. load
balancers, reporting engines, log
aggregators, etc.)
HQ
Regional Office
Acquisition Remote
Employee
s
Cloud
8. Myth 6: Cloud security is more difficult to manage
• Policies and reporting for numerous
locations and remote employees can be
managed via a single, web based
console
• The heavy lifting required for data
consolidation is handled by the vendor
• Data portability ensures that the cloud
isn’t a silo and interacts with alternate
security workflows
• Patching and upgrades are handled by
the cloud vendor
• Adding new capabilities is a matter of
enabling features as opposed to
rearchitecting
• Customers can focus on leveraging as
opposed to maintaining solutions
9. Myth 7: Cloud resources are more exposed to attack
• This myth ignores insider threats
• Even custom enterprise applications are
typically Internet facing to accommodate
remote users
• Local solutions are less likely to
implement strong data security and
monitoring
• Enterprises often implement split tunnel
VPNs to permit access to internal
applications, exposing additional threats
• Cloud infrastructure is typically far more
resilient in the face of a DDoS attack
• Economies of scale allow cloud vendors
to invest in security
people/processes/technologies
10. Myth 8: Multi-Tenant Clouds Expose Privacy Concerns
• Hypervisor vulnerabilities are rare
and successful attacks are even
more so
• Management interface should be
isolated from customer resources
• Customer data should be properly
encrypted/encoded to further limit
privacy threats – this is far less
likely in a proprietary, on premise
app
11. Myth 9: Cloud vendors lack transparency
• Consumers of cloud security must
demand transparency through
online resources (e.g.
trust.salesforce.com), SLAs, open
policies/procedures and third party
attestation
• It is the responsibility of the
consumer to ensure that the cloud
vendor provides an overall
security posture that
meets/exceeds the on-premise
security posture
• Compliance does not equal
security – it forms a baseline, but
is not an endgame – customers
must ask the right questions
• Not all clouds are equal
12. Myth 10: Appliances are more reliable than the cloud
• Most enterprises are not in the
business of enterprise security or
developing/maintaining IT
solutions, which remain cost
centers
• Cloud security vendors benefit
from economies of scale and can
afford to invest in world class
security, development and
operations teams and resources
• Cloud vendors live and die by
their reputation
• How many appliances offer
reliability/uptime SLAs?
13. Questions?
Free Security Health Check
Risk free evaluation of your security
infrastructure
Go to: http://securitypreview.zscaler.com/
Bil Harmer
Strategist, Office of the CISO
@wilharm3
bharmer@zscaler.com
Notas do Editor
Why are there so many myths about the Cloud? Marketing. Everything today is called cloud.
Take away “how” something works and focuses on the benefits.
Example: flying an airplane. All the things needed to actually make sure the flight is good. We don’t care. We just want to get from point A to point B.
We can do our own due diligence, check facts but once you establish that you just want the service.
Shadow IT has become an unstoppable force.
Don’t need IT to get this going
Runs on HTTP/HTTPS
Visibility is the first thing they need.
File storage – Box, Dropbox, OneDrive + Productivity – Office365, Google Apps + Sales – Salesforce + Development – GitHub
Important for CISO to understand what’s being used and know what cloud based apps are in place.
Caution against dictatorial response.
Need to move away from being the office of “yes / no” and get to an “yes and here’s how” Manage and Monitor
Controls and processes to help enable applications that support the users and to not substantially expand or alter the existing risk profile
Gartner projects IaaS to reach an annual compound growth rate of 29.1%
Cloud Analytics to grow from $7.5B in 2015 to $23.1B in 2020
According to Skyhigh’s Cloud Adoption and Risk Report the average company is using 923 Cloud services.
Elastica found that, on average, 2,037 files per user are resident on cloud file sharing solutions
Contrast Office to Office365 client based to cloud base app. Still have control over your data.
Location should not be defining your level of control
Interoperability or some form of standard data export should be part of the tool in order to ensure portability.
Regulatory requirements can be a deal breaker.
All have suffered in the last 24 months
RAM scraping malware – Target, Home Depot, Michael's
Stolen admin credentials – JP Morgan, OPM
Trusted partner – Target (Fazio), OPM (Keypoint)
Known Vulnerability – Home Depot
“We sell hammers” – Home Depot
One benefit of the cloud is the economies of scale. Cloud vendors can invest in much better security, higher level of security because they are in the business of securing data.
Patching is your responsibility
Patches may not be available
SSL
Heartbleed – OpenSSL heartbeat information leakage
2048 bit SSL
NIST mandated that all SSL certs issued after Jan. 1, 2014 offer no less than 2,048 bit encryption
Impact
Intensive processing cycles. A four fold increase in the load on the existing Web Security Appliance
A noticeable decrease in network performance (4 fold performance hit)
Requires additional hardware appliances
POODLE - Padding Oracle On Downgraded Legacy Encryption – MiTM allows obtaining plain text from the intercepted TLS
FREAK - Factoring RSA Export Keys - degrade the strength of the encryption used in SSL/TLS connections - VM
VENOM – Virtualized Environment Neglected Operation Manipulation - QEMU vuln.in Floppy Disk Controller (FDC), allows a local guest user in affected virtualized platforms to escape from the virtual environment and execute code on the host
BASH
Shellshock - GNU Bash environment command injection
Ghost - Ghost remote code execution in glibc – heap based BO
Cloud elasticity. One of the big benefits
Yes, you can scale on-premise solutions by purchasing more and/or larger appliances, but doing so can be costly and complex.
Plan for anticipated demand versus plan for actual consumption
Peaks times versus usage
Cloud you only pay for what you use.
Growth on prem may need re-architecture, Loadbalancers, rerouting. Includes loaded costs, people, process to manage.
Growth of a company, or remote locations and home users.
Appliance vendors don’t just sell one thing.
Myth is driven by not having used the solutions. I would argue the exact opposite is true.
Appliances are typically running in multiple locations, run by multiple people and it’s your responsibility to get all that information back into one place to manage. As a consumer you have one pane of glass into your data.
Caution
Ensure that that cloud doesn’t become a silo. Data Portability needs to be addressed. How do you get that data out so it can be included with alternate security workflows.
Again you don’t have to manage the patching and maintenance of the solution
Expanding capabilities: Add a box. What SSL Decrypt? Add another box, Sandbox? Add another box.
Cloud – pay a license and have it turned on. Burden is on the vendor not you because they manage the solution
Re-iterate: It allows you to shift from managing and maintaining to leveraging them.
Driven by the fact that it’s in the in cloud. If it’s on prem I can control who accesses it.
You have to a have a bigger attack surface because you’re on the internet? Right?
Verizon data breach report shows insider threat as the highest risk
Onprem likely to have less security and no encryption.
OPM Breach - Data was not encrypted
Typically to address today;s workforce demands it gets exposed either through a web app or through a VPN or other remote access.
VPN’s can create it’s own problems.
Typically run split-tunnels and it puts the user ON the local LAN with full LAN access. Not typically restricted by port, protocol and address.
Cloud vendors can better invest in security because of the economies of scale. Larger security teams, robust infrastructure because this is what they do
Multi-tenacy gives us the elasticity. Cost savings because we use everything, CPU, Storage, networks because multiple customers using the same physical resources.
Theoretically you could break through the logical segmentation and see your neighbor's information.
Hypervisor attacks are rare. No example that I can remember.
More typically we are seeing attacks through more pedestrian ways. Admins with shared or compromised credentials, Known vulns are sent in spear phishing attacks
If we are going to focus resources based on probability of attacks this not how they would get in.
The other option would be to gain access to one tenant account and try to jump to another tenant.
Potentially going through the management layer. It should be separate and managed appropriately.
This is where a you as a consumer need to ask questions, need to validate what a vendor does.
This is how trust gets established!
What do you do? BGC’s? Who can see my data? Is the data encrypted?
Many ways to gain transparency.
Just plugging an appliance into the wall doesn’t give you transparency. No access to source code etc.
Location doesn’t equate to transparency.
Online resources like trust.salesforce.com. Shows you everything about their clouds.
We have our own version trust.zscaler.com
See the status, outages, common vulns has it effected us, have we done anything about it?
We want to be very open. This is how we establish trust.
We want them to know that a node went down, they didn’t notice be want them to know.
SLA’s also help. $$$ repercussions.
Should be open about policies and procedures. BCG’s, ISO/SOC attestation. What do you have and what can you show me.
Do not make the assumption because they are an established vendor you don’t have to ask these questions
You cannot outsource RESPONSIBILITY!
Certifications are the baseline. How would you expect the solution to be run in your environment?
Use the cert as the baseline (could answer 80% but u need to ask the rest)
You may need to have right to audit included in your contract or other conditions that help ensure you have transparency
The environemnt must be equal or better to what you would have had in house.
Most enterprises are not in the business of building IT team or Security teams. They are cost centers. No unlimited $$$
Cloud bring economies of scale.
A cloud vendor offline for 15 mins is devastating it is showing up on the front page of the paper.. A cloud vendor breached and the trust evaporates immediately
No choice but to invest heavily in their security teams Cloud vendors live and die by their reputations.
Security researchers aren’t cheap, trust me, there is scarce shortage of talent. A security vendor can afford to have that in their HR budget.
If an appliance goes down one of the best and most expensive SLA you can get is replacement hardware in 4 hours. Imagine a Cloud vendor down for 4 hours.
The only other option is to run enough capacity to allow something to fail without your user population seeing it. That also becomes very expensive. And again we’re back to the economies of scale.
When was the last time you built an in-house solution and your IT team gave you an SLA?