Traditionally, cloud has been seen as having major security vulnerabilities. Is it now possible to ensure that corporate and customer data is protected when used over public and private cloud services? What new security policies and architectures actually take advantage of cloud delivery in order to increase the levels of security?
The value proposition of cloud is becoming too great for organizations to ignore, and rather than continually having CISOs sit on their hands and complain about security challenges related to cloud, practitioners must figure out a way to take advantage of cloud’s capabilities.
Traditional controls and old security measures are no longer effective in the present security environment, be it within an internal infrastructure or on the cloud. This requires prioritizing where new risks lie and what needs to be protected. Second, the difference between external and internal environments doesn’t exist any longer.
Considering these items, the issue revolves not around security but around risk. The benefits of the cloud must be weighed against the risk of putting certain data into a cloud environment. Start with the risk profile of the workload you’re trying to move, then decide what is the most effective destination.
An internal cloud, a hybrid cloud or a public cloud, each comes with their own benefits and trade-offs, and a large enough company can conceivably find use cases to operate in all three. In some cases, placing data in a public cloud may be just as safe as hosting internally. The ideal middle ground however may be a virtual private cloud, one that allows you to control the ingress and egress points back into your environment.
Performing this due diligence will cause many CISOs to rethink their approaches to security and may even result in some traditional principles to become outdated. But this new cloud-based security model has room for growth yet, including APT protection and receiving more control and solutions from cloud vendors overall.
Sanjog Aul: Welcome listeners this is Sanjog Aul, your host, and the topic for today’s conversation is “Cloud Enabled Security”, and I have with me Larry Biagini. Larry is the Chief Technology and Security Officer for GE. Now, there have been a lot of complaints and fears about the security of cloud but for the purpose of this segment, we wanted to turn that idea on its head and find out what it would require to take advantage of cloud delivery so that we could actually increase our enterprise security. The first question I have for you Larry is that there must be some common denominators we look at when we try to explore securing an on premise infrastructure and/or applications compared to the cloud. So what are those?
Larry Biagin: First of all, I think you’re right to ask the question to turn it on its head, because there are some common denominators. The first and most important is that things that we’ve done in the past for security, both internally and externally, or in this case cloud, don’t work in this environment and haven’t worked for a while. So the common denominators really are, you need to prioritize where your risks are, understand who would like to exploit those risks, understand what you can do to mitigate or lower the probability of those risks being exploited and then deploy the correct controls depending on the environment that you’re in.
“You need to prioritize where your risks are, understand who would like to exploit those risks, understand what you can do to mitigate or lower the probability of those risks being exploited and then deploy the correct controls depending on the environment that you’re in.”
Because none of the general controls for the most part that we’ve used in the past at the network perimeter for instance are really effective in this environment, either for internal infrastructure or for cloud infrastructure. So we have to get very specific about what it is you’re trying to protect, why are you trying to protect it, whose interested in it and then put the controls around it to make that data or that information or that process as protected as it needs to be, but also putting good incident response, putting good detection capability and good communications policies when things go wrong, if in fact they do go wrong.
Sanjog: I’m sure that others in your role or industry are focused on which environment is inherently better equipped to track vulnerabilities, manage points of failure, handle breaches and perform all other measures expected of a secure infrastructure. So where are you seeing the trend going? Do you think that cloud is becoming a favorite because it is new and it is basically breaking the old molds of how you used to handle things earlier?
Larry: I think cloud is getting traction because just the value proposition of using cloud computing is too much to ignore. So the struggle that our security organizations have to do is figure out a way to take advantage of that. When you think about what’s more secure, internal or external, I actually don’t think that’s the right question because there really isn’t a lot of difference between internal and external anymore, at least for large companies because they have a connected supply chain and they’re connected to their customers. I think one big difference is on an internal network versus cloud, you do have the capability if you exploit it to get better visibility because you understand the infrastructure, you understand the administrative processes that are used and you just get a better look at it because you know where all the pieces are. In the cloud you have to depend on process for that, you have to depend on cloud providers to provide you with logs and things like that. You may have to do with deeper level of analysis than you would in your own environment.
“The value proposition of using cloud computing is too much to ignore. So the struggle that our security organizations have to do is figure out a way to take advantage of that.”
Sanjog: Would you say that in the new cloud environment you’re becoming more cautious or vigilant? Is it inherently pointing you in the direction of being more secure and more responsible?
Larry: I don’t think it’s a matter of degrees whether it’s more secure or not; it’s a matter of risk. The benefits that you get from the cloud have to be weighed against the risk that you take for having that data exposed or that process exposed in a multitenant environment, or in a single-tenant environment you have some other options. But how you’re deploying the cloud is really going to be depending upon what your risk appetite is for the given workload that you’re talking about. Not all things even we would think about putting in the cloud, because if you think of our most important intellectual property or something that we really believe to be a competitive advantage, we probably would put very strong controls around that or keep that internal, just because it’s something that we think we can protect better and that we have an obligation to protect better because it’s so important to us. Other things that may not be as important or that we can’t afford to protect at that level, we will just make a risk based decision on where is the best place to run the workload in the cloud or internally.
“How you’re deploying the cloud is really going to be depending upon what your risk appetite is for the given workload that you’re talking about.”
Sanjog: If you take the different flavors of clouds that exist, those being a virtual private cloud, public cloud or a totally private cloud, do you think you could draw a comparison across these multiple environments and determine if a particular environment is better suited because of the specific type of risk mitigation it offers?
Larry: Yes, I think that’s actually the way to look at it. You start with the risk profile of the workload that you’re trying to move, then you decide, what’s the most effective destination for it, be it an internal cloud, a hybrid cloud or a public cloud, all of which come with different benefits but also which all have their own downside as well.
Sanjog: People have labeled public cloud over the years as not that secure and private cloud as having too much baggage and too much capital. So is Virtual Private Cloud the best of both worlds?
Larry: I think there’s a place even for a company like GE to operate in all three models of that cloud. For instance, if you think about the way that you do web based or customer based applications, putting them in a public cloud is probably not any less dangerous than putting them in our own DMZ’s. When you think about reach back into our environment, you may not want to put that on a public cloud but you certainly can put it into a virtual private cloud because you can control the egress and the ingress points back into our environment. When you’re thinking about the data itself, you may not want to put that in a public cloud in multi-tenant environment but you may want to very tightly control how the application that may exist in a public cloud reaches back into the internal enterprise to the data that it needs to present for a given task that’s it’s trying to run.
“You certainly can put it into a virtual private cloud because you can control the egress and the ingress points back into our environment.”
Sanjog: Looking in hindsight, has this journey as we’ve explored new horizons with cloud allowed us to build our overall enterprise to become more secure by leveraging the new innovations that have made cloud more secure? Have those innovations percolated into the on premise infrastructure?
Larry: I think it’s caused us to think about security in a different manner. Whereas before we used to think about security as, if as long as is its inside our four walls or inside our network, its relatively safe and things on the outside are relatively unsafe. When we started to understand cloud and we started to understand what the possibilities were, it caused us to relook at our own thinking and say you know what there is very little network perimeter anymore. So any security model based on an inside versus outside perspective is probably invalid. So we started to rethink about it and when we started to rethink about it, there are technologies that help us in both areas. There are technologies around encryption; there are technologies around key management. There’s also new technologies around identity management which is extremely important not only externally but internally. And if we start to base our security on those types of models or those types of technologies, which don’t allow this to exist yet, either for the enterprise or for the cloud, I think we’re going to be more secure.
“Any security model based on an inside versus outside perspective is probably invalid.”
Sanjog: Now that we’ve at least addressed some of the basic infrastructure elements, what else is on the drawing board? Beyond that, what’s still left to be desired? What’s not fully done yet that is preventing you from getting a good night’s sleep?
Larry: Good question. I think the cloud providers have made very good strides in differentiating themselves in different areas. Some of the public ones around orchestrating workloads and the private ones around visibility and building things like APT Protection into their cloud offerings, I think they’ve done a pretty decent job of taking existing technologies that are out there and then figuring out how to plug them into their own infrastructures.
“The cloud providers have made very good strides in differentiating themselves in different areas… Things like APT Protection into their cloud offerings, I think they’ve done a pretty decent job of taking existing technologies that are out there and then figuring out how to plug them into their own infrastructures.”
What’s missing though, I actually believe the enterprise has to have the ability to move workloads between clouds, and there needs to be a layer that sort of is an abstraction layer between two different cloud providers and we get to move workload around pretty much at will based on the differentiation in those backend clouds. I also think that there needs to be a much stronger identity management structure in place that supersedes any individual cloud provider because an enterprise can’t be expected to use its Facebook ID, for instance, to log into our cloud provider applications. Thirdly, I think encryption both at rest and in flight needs to be strengthened, not by the encryption algorithms themselves, but the control and the application usage of encrypted data. How much does the enterprise control, how much control does it have to give up to the cloud provider? Because if it has to give up all control of encrypted data to cloud providers, then we’re at the mercy of the processes within the cloud itself and we do lose some visibility.
Sanjog: Do you think this is more of a competitive market place issue or people issue or policy issue verses a technology issue?
Larry: I think it’s mostly a business issue, not a technology issue, but somehow or another we have to solve it because the current technologies just don’t scale to the level that we need to scale. So somehow or another identity has got to be solved because it’s a tenant for security going forward, when once we’ve locked the network perimeter, identity became the new perimeter. Once we get that right, we’re going to have a hell of a time trying to figure out what’s actually going on in the cloud environments.
Sanjog: Which evolutions in the cloud infrastructure would you like to see happen that will allow you to use cloud as a role model to elevate the overall security of an enterprise?
Larry: I think one of the biggest things that we would like to see is the way that admin processes are handled within a cloud environment. The thought that nobody has the right to escalate privileges without a customer for instance, agreeing that those privileges should be escalated, because the fear of cloud is that there’s an insider threat within the cloud itself in addition to external threats. So the more control we have over who has the access to what and visibility into when that access is used, the better we’ll feel that our information and our processes are secured.
Sanjog: When people now come to you to put a solution in place for a business purpose, will these conditions provide more clarity into telling you which direction to go, or will it make your decision more difficult and delicate?
Larry: I think they’ll be more clarity. I actually think as we get more experience and as we understand the workloads that we’re trying to move and the real risk versus the perceived risks, there will be more clarity. And again, I think it’s an education around the belief that being inside is more secure than being outside, that not being true for the most part. I think that education and just pure experience with moving applications out to the cloud will give us more clarity because it’s much more of a decision tree. If then/else, I can move to the cloud, if then/else, it should stay inside just because we don’t have appropriate mitigates in place for the risk.
“Understand that you may have to get up give up a little bit of control, but that doesn’t mean that you have to give up a lot of security.”
Sanjog: What is your appeal to fellow technology leaders and CISOs as to what they can do in the interim to make sure the cloud remains secure and so that they can maximize whatever is available as they go through this evolution phase to see how far they can take security for both on premise and cloud?
Larry: My recommendation would be think openly about it. There’s no way to prevent what’s happening in this space because the value proposition is just too great and the velocity of the improvements is just too great. So rather than say no to everything, understand again what is possible with today’s technology, what the technology is building in the future and get your feet wet. Put your toes in the water and put some applications out there. Understand what’s going on and understand that you may have to get up give up a little bit of control, but that doesn’t mean that you have to give up a lot of security.