Let’s take a look at the Security Foundations Seminar that kicked off the RSA 2019 conference in San Francisco, California last week. The full-day session featured multiple speakers and presentations to shed light on the process of defining and deploying security frameworks, foundations, and architectures. One topic covered in depth was the security challenges involved with moving to the Cloud from a physical data center.
Large organizations are getting their arms around cloud computing technologies, but there is still a large and growing gap between the pace of general cloud innovation and security controls and skills. The buzz at RSA 2019, CSO
What are the security challenges in moving to the Cloud?
One of the fundamental changes is the shift in technology from physical servers to virtual servers and then from virtual servers to Cloud servers. Interestingly, the security administration capabilities didn’t change very much between the environments; however, who had access to the administrative tools had changed. As a result, how these administrative tools were secured also had to change.
With a physical data center, organizations had all their administrative consoles on site, and it was much easier to require a user to physically access the computer to access those tools to manage servers and users. As organizations move to the Cloud, their administrative consoles are also in the Cloud, which means these tools are remotely accessible. To protect the organization, a new set of security frameworks and controls must be put in place. The use of Virtual Private Networks (VPNs) and multi-factor authentication (MFA) are table stakes to secure these tools from unauthorized access. The end result is that there is now a whole new stack of auditing and logging that is required to supporting application security that didn’t exist prior to going to the Cloud.
How is a virtual Cloud different from having a data center?
With a physical data center, as I stated, you could actually say, “I’m not going to allow my Administrators and those with privileged accounts to access applications and perform administrative functions with root access remotely. They have to physically show up at the data center, prove who they are, then walk in and access the terminal with that console and can perform the administrative duties they’ve been asked to do.” So the data center itself provided a security barrier by restricting what could be done remotely versus what had to be done on site.
With the Cloud, there is no physical barrier preventing bad actors from gaining access. So the person sitting at home who is administering your Cloud application servers has to secure their equipment as well as using proper tools to login. One of the presenters told the story of an Administrator who left his computer on at home while he went out for lunch. Only to come home and find out that his son had been using it to play video games and surf the web while it was still logged in to the administrative functions. This begs the question, how do we make sure devices are securely managed when they are outside of our environment? Otherwise, the next incident, whether intentional or accidental, is just waiting to happen and will come in sideways on you. Going to the Cloud makes it ‘virtually’ impossible to put any physical barrier between your data, privileged account access /administrative consoles and root-level access to your applications.
How can companies mitigate security challenges when they’re moving to the Cloud?
The biggest thing that they highlighted was to ensure that the Cloud provider you’re dealing with has demonstrated that they have the security protocols in place for organizations that have similar security risk and target assets. So if you’re working with a Cloud provider who mostly deals with retail shops and merchants, and you’re trying to put in a FinTech product, you might want to reconsider that because their skillset and understanding of your security and risk mitigation may not be the same. The goal is to find a Cloud provider that has the proper skillsets to understand the risk factors particular to your industry, how to mitigate them, and what administrative tools are best suited to manage them.
The emergence of the “Cloud First” strategy is driven by a number of factors from cost savings to outsourcing Cyber risk. The common belief is that every Cloud provider has all these wonderful people who are very good at security, so why not outsource everything to them? As Ronald Reagan famously said: “Trust, but verify.” It is incredibly important as you consider moving to the Cloud to evaluate prospective providers: their Service Level Agreements, whether they encrypt data, how they manage access, what they offer in the way of incident response, and so on. The responsibility for the upfront due diligence to understand what services you are receiving and what risks you are taking by hosting your data center with any particular provider is on the customer.
Join Idenhaus on Thursday, April 4, 2019, as we share lessons learned from Role Based Access Control (RBAC) implementations to help you keep your RBAC project on track.
Organizations undertake RBAC projects to provide a better, more scalable method to manage user access; however, they struggle with the analysis and implementation. In this webinar, you will learn how to balance managing the complexity of RBAC and delivering value to the business effectively.
- High-Level overview of Role-Based Access Control
- Separating the Hype from Reality in RBAC projects
- Managing RBAC expectations in your organization
- Defining the right RBAC implementation strategy for your organization
By going to work quickly to solve the most challenging cybersecurity and identity management problems, Idenhaus takes the pain out of securing corporate information and assets for companies that aspire to maximize their potential in this digital age. Click here to contact us