The intersection of cloud and security is a timely discussion given recent revelations that a virtual disk image belonging to the NSA – and containing more than 100 GB of data from an Army intelligence project code-named “Red Disk” – was left exposed on Amazon Web Services storage. And unfortunately, this is far from a one-off incident. That kind of news is exactly what partners trying to assuage cloud data security fears don’t need.

Red Hat’s Mike Bursell

How can you help customers do better? We caught up with Mike Bursell, chief security architect for Red Hat, to get his perspective. When speaking with customers, Bursell stresses that security isn’t just about breaches. Partners must also advise on data integrity, availability and more.

Channel Partners: In a recent survey, 74 percent of IT leaders said security concerns were a barrier to migrating to the cloud. Are these concerns valid?

Mike Bursell: The answer is: They may be. Companies are right to carefully consider the possible dangers of migrating to the cloud, but they should be aware that there may well be benefits as well. How many companies can afford to maintain 24×7 coverage of infrastructure health by experts in all of the systems that they are using? And what impact does infrastructure patching have on your day-to-day business?

It may be that cloud providers can help you here; this is their bread and butter, and a careful weighing of these benefits against the various risks may give you some surprises.

CP: Where does cloud security responsibility lie, with cloud providers or with the companies themselves?

MB: There are different types of security, and therefore different types of responsibility. When a company chooses a cloud provider, [it] needs to make that selection based on many variables — of which one must be security.

The first question people usually think about is confidentiality: Nobody wants their data leaking out! But what about integrity of data? Can the cloud provider assure you that no changes could take place to your data, or that it could not be deleted by accident? Equally important is availability. If I can’t get to my data, then it’s next to useless. So companies need to consider what questions to ask of their cloud providers, and what assurances they are willing to accept.

The bottom line is: Could your business line continue to run if your data was leaked, corrupted or lost?

From the point of view of companies, there is much that they should do themselves. The first of these is ensuring that their workloads are from reputable sources, patched and updated regularly. Maintaining authentication and authorization controls on applications is no less important when you are running them in the cloud than when you are running them internally; in fact, are the controls and mitigations that you have in place for internal applications equally effective in …

… the cloud?

CP: What should be considered when developing a cloud security strategy?

MB: Many issues should be considered when developing a cloud security strategy, but the first should be, “Why are you moving to the cloud?” This is not to suggest that you shouldn’t, but rather to expose the thinking behind the decision in the first place, to ensure that any security-related thinking is integrated with that. Whether the answer is for CapEx or OpEx savings, ease of deployment, faster response times, better collaboration or one of a myriad of other reasons, if your security strategy is not aligned, you’re like to discover significant tensions within your organization as you proceed with any deployments.

The next question is probably, “Who will have security responsibility for all the different parts of my deployment?’  Which “aaS” you choose – PaaS, IaaS, SaaS – will impact this decision. What can easily happen, though, is for components to fall through the gaps, and to end up with no owner to monitor, upgrade, patch or replace them, leaving an entire deployment at risk.

Then there is the question of “What goes where?” Although this is, at root, an architectural question – ensuring that sensitive data is kept inside the corporate boundary or applying appropriate API controls, for instance – there is a broader question: “Should you go public cloud only, hybrid cloud – part public, part private – or multi-cloud, using private and several public clouds?” [See insights on that from this year’s Red Hat Summit here.]

Here you need to consider costs of availability — and not just up-front cost. It may be cheaper on paper to go with a single public cloud and no private cloud, but can you protect your sensitive data adequately? Again, what happens if the public cloud suffers an outage? Could you move core functionality internally in time? Is there a danger that you will suffer cloud “lock-in,” and be unable to migrate to a different provider – or back in-house – in the future?

A final question to consider early in the process is how can you manage risk throughout the data cycle. Any application will need to be creating and collecting data, using it, sharing it and disposing of it. Where should all of these functions live, how can they be monitored, automated, and, crucially, audited? Frameworks such as GDPR, for instance, require that data destruction includes removing data from backups, so if you don’t know where backups reside, or who is responsible for them (see above), you will have problems with your applications and their data in the future.

CP: There have been many data breaches in the press recently. What cloud security mistakes were made?

MB: It’s important to understand that IT security as a whole, not just cloud security, is complex and ever-changing. This is in direct correlation to the expansive, complex and heterogeneous nature of modern data center landscapes, from mixing legacy and emerging systems together to adding raw innovation in the form of Linux containers or microservices to an established architecture.

One thing remains clear, however: Good hygiene is always important. “Hygiene” as it relates to security means …

… patching, password management, changing obvious “admin-admin” username/password combinations, and so on. These activities provide a foundation for additional security practices and processes. By combining these with resiliency, redundancy and change tracking, as well as automation, security teams can also remove the bulk of the human variable from the security equation while freeing security teams to work on more proactive protections and technologies.

CP: What innovations in cloud security can we expect over the coming years?

MB: There are a number coming, both in terms of software and hardware. The one that people will notice most will probably be closer integration of threat and vulnerability analysis into the development and deployment life cycle. We’re also going to see more automation, and with automation comes the ability to measure and manage risk, as you get the opportunity to apply security policies and governance models through the entirety of the life cycle.

Combine all of these with the promises of quicker and more accurate threat analysis by AI and machine learning, and we’re in for an interesting few years.

On the hardware side, several of the chip manufacturers have started to announce the availability of Trusted Execution Environments. These allow you to create “enclaves” that can execute on cloud hosts with significantly more security than existing workloads. This change, as it gets rolled out, should allow two things: new offerings from the cloud providers themselves, and the ability for companies to make different risk evaluations about which of their sensitive processes and data they’re happy to have hosted by somebody else.

CP: What would you say to a company that is on the fence on moving their data to the cloud?

MB: The most important thing for a company considering moving data – or critical applications – to a cloud provider is to ask themselves a question: “What’s the risk/benefit balance?” It’s a question that, really, all companies should be asking themselves any time they have a technology decision in front of them: “How does this affect my risk?”

Risk could mean facing a potential breach, it could mean downtime due to a vulnerability, and so on. Regardless, companies need to weigh their perceived risks against the benefits of going to the cloud. Just like there is no surefire way to secure your software, there’s no perfect security footprint for cloud computing. But there are many, many ways to make it more secure and safer, and it all starts with the foundational elements of your IT infrastructure before you even dip a toe into the cloudy waters.