Getting IaaS Security Right
October 14, 2014 | DevOps | Kevin O'Brien
In June of this year, the Ponemon Institute published a report on how the use of cloud technology changes the breadth and cost of data breaches. A few of the more interesting statistics that jumped out at us:
- 66% of respondents say their organization’s use of cloud resources diminishes its ability to protect confidential or sensitive information
- 62% percent of respondents do not agree or are unsure that cloud services are thoroughly vetted before deployment.
- 69 percent of respondents do not agree that their organization’s cloud service use enabling security technologies to protect and secure sensitive and confidential information
In other words, cloud infrastructure, while continuing to gain traction in the market, is also viewed as inherently more risky than on-premise technology.
Interestingly, however, the market for these projects is continuing to grow. Gartner predicts that by 2016, IaaS and PaaS spend will surpass SaaS. Businesses aren’t thinking about “going cloud” any more – they’re there, and they are moving increasingly important parts of their businesses into the infrastructure offered from Amazon, Microsoft, Rackspace, and others.
Understanding the Threat Surface
If you step back a few years, you can see that in the SaaS market, security was initially perceived of as a blocker to cloud adoption. Moving sensitive data to Salesforce, Google Apps, Workday, and the like was prohibitively difficult; while on-premise systems had strong firewalls, DLP, and other technical answers to threat, the cloud alternatives did not.
Over time, those challenges were considered in cloud-specific ways: instead of preventing users from sharing data, for example, technologies emerged that were able to find and remediate exposure of PII, PCI, PHI, and other sensitive information without driving users into shadow IT systems.
There is a strong analogue in this evolution of thought to what we expect to see in the IaaS trend that Gartner identifies. Consider that in the Ponemon report, 69% of respondents said that an increase in infrastructure-as-a-service would decrease their organization’s likelihood of a data breach. Why is this?
The IaaS Risk and Response Model
We believe that it is a function of not understanding the threat surface for IaaS. In the same way that firewalls did not provide security for organizational data stored in Salesforce, the SaaS-level solutions (encryption, tokenization, and compliance governance) do not map well to IaaS. In fact, the market has almost no answer for these risks yet.
This is where Conjur sits. We believe that the threats to IaaS have to do with privileges and secrets management. When properly managed, an organization can move infrastructure into automated cloud environments without worrying about user or service-level breaches, insider or outsider abuse, or escalation of privileges based on poorly secured SSH keys, SSL certs, or other secrets.
The conversation is just beginning, but as the Ponemon statistics reveal, it’s a critical one to have. We will be diving into it in more depth in our upcoming webinar on October 28, 2014 — you can register by clicking the button below, and join us to learn more about how these risks play out in practice, and how to address them within your organization.
Hope to see you there!