The Troublemaker CISO: Cloud Isn't EasySecurity Director Ian Keller on What Cloud Security Truly Requires
Hold the applause. Yes, it's me.
See Also: Threat Horizons Report
People think cloud is a silver bullet, but it’s not. It's not even copper. And people think cloud is easy and someone else’s problem. But it's not. I will now rant on this.
The cloud is nothing more than a highly resilient, outsourced data center with a lot of bells and whistles.
As most of you know, cloud is the big buzzword and generates a metric ton of income for all the pointy shoe consultants out there - north of $25 billion annually. Yet cloud is nothing more than a highly resilient, outsourced data center with a lot of bells and whistles.
The bells and whistles are what makes everyone sit up and take notice. Cloud is marketed to bring in the concepts of:
- NIRTS - "Need it right this second" computing. If anyone can tell me where I got this phrase, you win a prize.
- Good social responsibility.
- The "custodian of the Earth" narrative.
But how does cloud differ operationally from what you can do at any other hosted data center, or even on-premises? Well, it is more expensive on-premises - initially, anyway.
This rant is about the total shutdown on common sense when we go to the cloud. Do you know where the term "cloud" comes from? Yes, it's that little cloud picture we used to put on network diagrams to depict the internet - something out there, the World Wide Web.
For some reason, we see this cloud the same way we see that fluffy white one floating by on a nice summer’s day - stunningly beautiful and under the complete control of God. We can sit back and enjoy the view because it is all “managed” by someone else … and that is when the lightning strikes you.
What the Cloud Requires
Cloud, on-premises and hosted data center all have the same stuff - hardware, software and databases that lives in a hardened structure. There are multiple levels of redundancy across power, HAVC, network, ISP connectivity and active-active server clusters and data replication across several data centers, hopefully in near real time.
Cloud is a contractual concept.
So cloud is not a new concept, other than that you have zero direct control over it. It's a contractual concept, which I will get to.
What is new in the NIRTS model is the speed in which you can get a new host or service installed; cherry-pick what, when and for how long you want it; chop and change brands - in other words, play to your heart's content, as long as you pay the usage charge.
The worst part is that it all makes perfect economic sense. You realize direct and indirect savings through things like reduction in floor space, local power consumption, no hardware or CAPEX costs, fewer depreciation issues, no hardware recycling costs and no warranty issues.
Your data center is now an OPEX cost.
On the other hand, with this bill-per-use model, you can end up with runaway cost if you lose control over who is doing what and when. In one horror story, a company’s server tech spun up a bunch of servers to do a short-term bit of work, but they were never decommissioned. The tech blew the entire OPEX budget for the year in a few months.
So, seeing as cloud is nothing else but a hosted data center, why do we think that we are no longer accountable for all the normal stuff? Is it because that is what we were led to believe, or is it that we just hope someone else will do this for us?
I am going to say it’s a bit of both - mixed in with no clear direction and guidance from the top.
The requirement for control is even more relevant with cloud.
With cloud, you have to perform all the same governance tasks - change control, security review, implementation planning - and the "jumping through hoops" you do for an on-premises solution. Yet we act as if something has changed.
In fact, the requirement for control is even more relevant with cloud, given that anyone with the right credentials can "Just Do It" - which causes more havoc than benefit. A service can be spun up, used and decommissioned between compliance reporting checks and the first time you know about it is when the bill comes, or when the information gets compromised and the media is calling you for comment.
The sheer volume and level of risk that cloud can bring is astounding. How many signed contracts with customers contain the clause, "None of my data goes into the cloud without my express permission"? Consider where your office files are stored right now - Azure or Google. Yes, they're up in the cloud - all your client comms, contracts and other data - and all without express permission. Now throw in data sovereignty requirements, national critical infrastructure controls and whatever regulations you need to adhere to and then reassess your level of risk and compliance.
- You still must follow standard governance to spin up a cloud service, and you still must ensure that this is done in a secure way.
- The DEV/SIT/UAT/PROD processes must still be done, and no! - your cloud vendor will not give this by default.
- You still must ensure that systems are patched, even if you might not have to apply the patches yourself.
- Data Privacy Impact Assessments still must be completed prior to moving data.
- Procurement, Legal and Contracting still must make sure that you can move the data to the cloud and sign off on that.
When all that has been done you can relax - no, you cannot!
Now you need to make sure that your identity and access management is bulletproof and that role assignments are ironclad to meet GDPR and other PI legal requirements. Yes, the center might be GDPR-certified but not your instance. That is still your problem.
Again, nothing has changed so why do we act as if something did?
And There's More …
Then there is the impression that you will need less staff. No, you need the same level of staff you had before. Someone still needs to administer those systems, keep them "current" and do all the tasks they did on-premises but with a different interface/skill set added.
To back to the contracting I alluded to earlier: Have you as the CISO, CIO or CTO read the contract and terms and conditions of service? If you did, you and your legal counsel will know that unlike other agreements, you have little to no leeway to change the terms or wording of the cloud services contract or T&C's you are entering. You just must accept them. Can you live with the limitation of liability?
Make sure that you read every single line of that contract and know what you are in for. Understand where their - and your - responsibility starts and ends. And after reading the contract, you must ensure that your operating procedures are adapted to cater to the terms.
Advice in Closing
Cloud is great, with major benefits, but only if you go into it with your eyes wide open, fully aware of who needs to do what, and if you exercise the same level of strict control you would on-premises.
For all that is holy, stop thinking that this is new because it's not. The IT people might have a different opinion, but that is their right. From a security and governance point of view, it's business as normal. And from a risk point of view, things have gotten worse.
Get yourself a partner that know this stuff backwards and is willing to put pen to paper to prove it.
End of rant. Start the applause.
CyberEdBoard is ISMG's premier members-only community of senior-most executives and thought leaders in the fields of security, risk, privacy and IT. CyberEdBoard provides executives with a powerful, peer-driven collaborative ecosystem, private meetings and a library of resources to address complex challenges shared by thousands of CISOs and senior security leaders located in 65 different countries worldwide.
Join the Community - CyberEdBoard.io.
Ian Keller, who is director of security at a telecom company, is an information security evangelist with over 30 years of experience. He started his career in the South African Defense Force’s Combat School, where he served as an instructor in Army intelligence. Keller took this background into the corporate world and was instrumental in the creation of the global information security function for one of the country's Big Five banks. He subsequently was appointed as chief information security officer for one of South Africa's leading corporate and merchant banks.