In the world of technology, paradigms shift quickly. Not long ago, we focused organizational security efforts on the perimeter of the network. We assumed that systems would be secure if we could just keep the bad guys outside of the trusted network. Phishing and malware, however, among other things, proved this to be a false assumption – perimeter defense alone would not be enough.
Responses to this often included efforts to seize control of information assets. Control implied security. When the cloud stepped onto the stage, lack of organizational control stood out as a primary barrier to adoption.
I am by no means diminishing the role control has in securing information, but control wasn’t really the issue with reluctance to cloud adoption. The cloud has actually gone a long way in securing systems on-premise and in the cloud. When key systems were decoupled from the perceived safety of the corporate network, secure methods of transmitting data between them had to be developed. Such methods also had to be easy for enterprises to adopt.
We realized that we might not want our cloud vendors to have access to back-end data so we encrypted the data and distributed keys such that cloud providers could not access the data they hosted. Robust APIs were created to integrate systems while providing only the minimum required service access. Likewise, communications between system components such as databases and web services were also encrypted.
The cloud offered a perception of insecurity that prompted a positive change in organizational security architectures, but a key fact here is that many of the organizational systems that moved to the cloud were not secure to being with. They only became secure as they adopted secure practices. The risks that were present in moving applications as they were to the cloud were already present in the application architectures. Shortcuts like advertising services and ports, allowing back-end components to communicate unrestricted, and giving IT the keys to the kingdom, may have been overlooked in the organization but they were clearly a bad practice in the cloud.
The cloud gave us the chance to re-architect the monolithic technology systems that had evolved over decades of growth and in response to the immediate threats of the era. These were replaced with scalable, virtual servers that were flexible enough yet specialized and hardened. Cloud systems also offered effective ways to plug-in best of breed security technologies such as application whitelisting, monitoring and control, identity and access management (IAM), Data loss prevention (DLP), and robust anti-exploit anomaly detection to combat the latest Advanced Persistent Threat (APT).
Some are still adopting these practices while others are taking it to the next level. The cloud made us realize how big the gap was and now it is time to serve the attackers an eviction notice. We can’t assume in our virtualized cloud environments that administrators or vendors will implement adequate malware protection on virtual machines, nor should we compromise with solutions that can only see a piece of the puzzle when technologies like hypervisor introspection analyze virtual machines at the hypervisor level.
It is time to tell the bots and the ransomware that it’s not welcome here anymore. The attackers have improved their tactics, but so have security partners. We can now collectively say, “We confronted our fear in the cloud and emerged stronger.”
As always, thoughts and ideas are my own. This insight wouldn’t be possible without the help of my associates at Bitdefender.