When It Comes to Cloud Security, Leave the Sandbags at Home
There was a time when businesses defended against cyberattackers by piling up the equivalent of digital sandbags. The idea was to trust whatever was inside the perimeter and distrust whatever was outside the perimeter.
But this approach to cybersecurity doesn’t work in a world in which data, applications and employees don’t always reside inside a company’s four walls. It’s a message managed service providers need to convey to IT: Late-20th century cyber defense strategies won’t work to protect 21st century cloud deployments.
Bygone World of Digital Moats
The perimeter approach worked fine in the era before employees worked from home and IT stored all corporate applications securely inside of office servers. Back then, organizations set up firewalls with intrusion detection systems, and that was enough. Access was controlled and based on certain rules. The perimeter separated the the data center and the organizational network from everything else on the other side of the digital moat.
But security executives now face new challenges that have undercut many of the old assumptions about perimeter security in corporate computing settings.
- The emergence of an app-based culture has helped poke holes in defenses as intruders employ viruses and worms to bypass once seemingly secure perimeters to gain network access.
- The mainstreaming of the Internet of Things means that more intelligence is getting pushed to the edge of the network. While businesses deploying IoT have become more efficient and functional, they also risk new vulnerabilities as each piece of sensing technology also serves as a potential point of entry for attackers.
- The increasing popularity of so-called “shadow IT” presents unique security headaches as individual departments frequently bypass corporate procedure and independently add hardware or software. IT often doesn’t know what its users are attaching to the network, and the products being attached may have been poorly designed–thus presenting juicy targets for hackers.
- The popularity of BYOD and the rise of a more mobile workforce has required IT to scramble as employees are now accessing corporate apps and data remotely from different devices and different locations.
The upshot is that with increasing amounts of data leaving the internal network and a greater number of unknown and untrusted entities being invited in, the old notion of physical perimeters and hard-wired network architectures is not just quaint–it’s ineffective in the cloud computing era.
Flexible Approaches to Cloud Security
With the perimeter receding, data now gets stored in many different places. Cloud implementations based on Saas, PaaS or IaaS exist outside of what once was the traditional enterprise boundary, and so information security technical controls thus need to become more virtual and software-based.
In the hybrid cloud, for instance, data may reside in the corporate data center, the private cloud and/or a public cloud. That creates new potential vulnerabilities, and so companies must account for more complicated scenarios.
There’s no single best approach to cloud security, and MSPs navigating clients through this increasingly complex environment should advise them to adopt a multilayer defense strategy that offers protection at each point.
IT ought to ensure corporate control over data as it moves around with secure private networking between various networked environments. Encryption won’t prevent cloud data theft entirely, but it can help reduce the impact if intruders do wind up gaining access to company information by rendering it unintelligible to outsiders. At the same time, security managers need to be able to see what’s going on across their cloud network on an end-to-end basis. And in the event threats do emerge, companies should have an detection capabilities so they can identify intrusions and then respond with alacrity.
Finally, companies should enforce clear usage policies so their employees understand what’s acceptable and what is not. Any third-party services that wind up being used in the cloud need to be registered and governed by IT. The goal is to reduce, if not eliminate, any backdoor acquisitions and instead force them through proper vetting channels. Any small wins on any of these fronts will add up in the end to a very large victory.
This content is underwritten by VMware — and is editorially independent. It is produced in accordance with conventional standards of business journalism.
Charles Cooper is an award-winning freelance author who writes about business and technology. During his 30-plus year career, he has worked as an executive editor at several leading tech publications including CNET, ZDNet, PC Week and Computer Shopper.