Header Ads

@Gartner Clouds Are Secure: Are You Using Them Securely?

CIOs and CISOs need to stop obsessing over unsubstantiated cloud security worries, and instead apply their imagination and energy to developing new approaches to cloud control, allowing them to securely, compliantly and reliably leverage the benefits of this increasingly ubiquitous computing model.

Overview

Key Challenges

Naive beliefs that cloud providers are totally responsible for their customers' security discourages organizations from ensuring their employees use cloud services appropriately.
Some organizations, especially outside the U.S., are paying an opportunity cost by allowing unwarranted fears about security to inhibit their use of public cloud services.
Disproportionate attention to the cloud service providers' (CSPs') security posture has negatively impacted security by distracting attention away from the establishment of organizational cloud control processes.
Organizations that haven't taken a strategic approach to the secure use of cloud computing can easily use it in a manner that is less secure than traditional computing, resulting in unnecessary compliance incidents and data losses.

Recommendations

Cut through your organizational cloud preconceptions, and encourage cloud decisions based on business requirements.
Develop an enterprise public cloud strategy, including security guidance on acceptable uses for infrastructure as a service (IaaS), platform as a service (PaaS) and software as a service (SaaS).
Implement and enforce policies on usage responsibility and cloud risk acceptance processes.
Follow a life cycle governance approach that emphasizes the ongoing operational control of your public cloud use.
Develop expertise in the security and control of each of the cloud models you will be using.
Implement technologies to fight the complexity of cloud diffusion.

Strategic Planning Assumptions

Through 2020, 95% of cloud security failures will be the customer's fault.
By year-end 2018, 50% of organizations with more than 2,500 users will use a cloud access security broker (CASB) product to control SaaS usage, up from less than 5% today.
By 2020, 85% of large enterprises will use a CASB product, up from less than 5% today.

Introduction

No evidence indicates that CSPs have performed less securely than end-user organizations. The recent history of public clouds has demonstrated that brand-name, externally provisioned, multitenant services are not only highly resistant to attack, but also are a more secure starting point than most traditional in-house implementations. 1 The cloud business model and the realities of Internet visibility provide huge market incentives for service providers to put a higher priority on security than is typical of end-user organizations, including their technical and process approach, and their undertaking of formal third-party security evaluations, such as ISO 27001 or SOC2. The top several hundred cloud vendors use purpose-built or highly customized platforms, enabling them to avoid many of the security vulnerabilities typical of in-house implementations. Large CSPs leverage experienced system and vulnerability managers, and their economies of scale make it practical to provide around-the-clock security monitoring and response. It isn't just end-user organizations that find security benefits in the public cloud. Many SaaS offerings are based on some other vendor's IaaS or PaaS, allowing them to concentrate on the features and security of their applications, without having to worry about the security of the data center or OS.
Unfortunately, much of the IT world continues to operate under a counterproductive misconception about the relative security posture of public clouds. Such flawed assumptions unnecessarily reduce the ability to take full advantage of the cost savings and agility of commercial cloud services. Ironically, avoidance of cloud services may even lead to unnecessary security risks, as organizations continue to rely on poorly managed in house systems that often have more security vulnerabilities than their public cloud equivalents.
While the parts of the stack under the responsibility of CSPs are generally very secure, the characteristics of the parts of the cloud stack under customer control can make it a highly efficient way for naive users to implement poor practices, which can easily result in security or compliance failures. The safe use of all forms of public clouds requires new organizational policies, skills and activities. No technologies — on-premises or in the public cloud — can ever be considered 100% secure or reliable — especially when users and IT staff are provided a new capability with no guidance on its use or management. Maximizing public cloud benefits means carefully governing your organizational practices for IaaS, PaaS, and SaaS to avoid introducing security or regulatory exposures on top of what would otherwise be robust computing platforms.
Putting any workload in IaaS, or taking advantage of applications through SaaS requires modified and even new controls and new understandings of risk. While the large brand-name CSPs have demonstrated very high levels of security and reliability, the cloud model has resulted in the proliferation of thousands of SaaS offerings, most of which are small and poorly financed (a single individual can implement and run a SaaS product on a part-time basis). Small businesses do offer commercially useful services, but you should not rely on tiny vendors to provide technical or financial viability. Choose CSPs that are rightsized for your use cases.

Analysis

Cut Through Your Organization's Cloud Hype, and Encourage Cloud Decisions Based on Business Requirements

Cloud computing remains one of the most hyped concepts in the history of computing, which is unsurprising, given the fundamental shift it represents in the form of IT consumption. Many organizations continue to have overenthusiastic cloud proponents who often commit to the use of clouds without taking into account security, compliance and other control considerations. Simply moving existing workloads into the public cloud without rethinking security design, processes and system management can result in scenarios that are less secure than was previously the case within the enterprise data center. Ungoverned cloud use, especially of SaaS applications, usually exposes sensitive data, including regulated data, to unauthorized people inside and outside the enterprise.
The opposite scenario occurs when IT professionals or corporate leaders have deeply held aversions to the use of cloud computing. The unwillingness to take advantage of cloud computing can leave an organization in an unsecure, inflexible or uncompetitive situation. It can even damage individual careers.
Cloud hype, especially when cloud champions and cloud avoiders are in conflict, results in emotional and contentious decision processes, in which the winner typically forces a pro or con decision which is not based on business requirements and cloud provider characteristics. This leaves everyone deeply unsatisfied and, worse, it means essential control practices are not addressed. Unless an organization is ready to take an objective and methodical approach to the use of public clouds, Gartner's recommendations on cloud control will be difficult or impossible to follow.

Develop an Enterprise Cloud Strategy, Including Guidance on What Levels of Data Sensitivity Can Be Placed Into Which Forms of Public Cloud Under What Circumstances — and What Is Not Currently Acceptable

Organizations without a strategic approach to the use of public cloud services unnecessarily constrain themselves, resulting in tactical approaches to security and governance that inefficiently address risks on a piecemeal basis. The most significant step an organization can take to ensure appropriate levels of cloud security is for the corporate leadership to agree that cloud computing is significant and should be governed through planning and policy. Once an explicit executive decision has been made to base some amount of business on externally provisioned cloud services, then it becomes possible to guide the business, and IT, through requirements analysis, architectural planning and risk acceptance processes. A structure can and should be put in place to ensure the safe and legal ongoing use of public clouds.
Because cloud strategies usually lag cloud use, most organizations already have a surprising amount of unsanctioned, and even unrecognized, public cloud usage. Especially when sensitive or regulated data is involved, unapproved clouds represent an unnecessary risk exposure (see"Everything You Know About SaaS Security Is Wrong" ). When unapproved external services support mission-critical processes, it means an undesirable exposure to continuity and vendor risks. Corporate data may be trapped inside an inflexible service that cannot meet future needs or, worse, a relatively small provider teetering on the edge of bankruptcy (see "A Public Cloud Risk Model: Accepting Cloud Risk Is OK, Ignoring Cloud Risk Is Tragic" ). It is equally counterproductive to set cloud supplier standards so high that few, if any, CSPs are able to meet them.
Without an enterprise strategy outlining the organizational expectations for the form, significance and control of public cloud use, IT leaders often feel that they lack the mandate to influence, let alone constrain, the use of public clouds on the part of business units (see "Don't Be Bypassed: The Six Futures of Sourcing and Procurement" ). Fortunately, a growing number of Gartner clients are undertaking top-down strategic approaches. Driven by the CIO, CTO or chief digital officer, and lead by IT strategy, architecture or business solution functions, a cloud strategy provides guidance on how upcoming purchases should be conducted and what should be done about the security and control of current and future public cloud services.

Implement and Enforce Policies on Cloud Ownership and Cloud Risk Acceptance Processes

No organizational process can be reliably undertaken, and no enterprise asset will be reliably used, unless responsibility is explicit and enforced. The foundational policy underlying the controlled use of externally provisioned services is ownership: If somebody wants to undertake the use of some previously unsanctioned public cloud service, then that person or his or her business unit manager must explicitly accept the ownership of that service, including responsibility for demanding compliance with the relevant policies, personal acceptance of the associated risks, and, if necessary, additional budget for security and compliance controls (see "Budgeting for the SaaS Security Gap" ). It should be no surprise when IT leaders recommend against the use of cloud computing if they expect management to avoid taking responsibility for compliance. It is unreasonable to expect the CIO or chief information security officer (CISO) to accept the full implications for the use of services that they did not choose, and have no ability to control.
Efficient and noncontentious decisions about the risk acceptability of new public cloud services and use cases are best-accomplished through some structure, including a defined security requirements process based on data classification (see "How to Approach Security Data Classification That Impacts Business Process" ). A risk-based acceptance process that starts with a concept of data sensitivity or use case criticality enables cloud security specialists to concentrate their time and energy on the most critical and business-useful situations. Requests for cloud use that involve nonsensitive data should require little or no risk assessment effort, and security staff who demand high levels of assurance for the use of low-sensitivity cloud applications are losing credibility. Just saying "no" as the routine response for requests to approve cloud use is counterproductive and no longer acceptable in most organizations.
One of the most effective ways to streamline and simplify the risk process is to perform it less often. By preapproving a set of public cloud services for specific use cases and business scenarios, IT can proactively demonstrate the acceptance of public clouds, without having to perform a complete approval process from scratch every time the business wants a cloud service. Lengthy and complex approval processes are counterproductive, sending the message that clouds are not desired, and encouraging the line of business to find their own applications without asking IT for assistance in selection or governance. The IT department and security practitioners should be proactive in recommending sanctioned cloud services that best fit organizational needs. Gartner is finding increasing receptivity within the user base for preapproved and supported SaaS products in a variety of categories, including enterprise file synch and share, other forms of collaboration tools, and client relations management.
Organizations can make the CSP risk assessment process more efficient by favoring CSPs that have demonstrated their security posture by successfully completing a formal third-party security evaluation, such as ISO 27001 or SOC2, which represents a higher level of security scrutiny than most end-user organizations have undergone.

Implement a Life Cycle Governance Approach That Emphasizes the Operational Control of Your Virtual Enterprise of SaaS, PaaS and IaaS-Based Services

Cloud security and compliance failures are virtually inevitable when organizations make the naive assumption that clouds can "take care of themselves." The failure to establish processes for the oversight and support of public cloud leads to the inappropriate sharing of sensitive data and the use of unsanctioned cloud services. It leaves the organization unable to explain to auditors, regulators, customers, citizens and corporate managers why regulated and proprietary data was placed into uncontrolled services without first establishing policies and guidelines over appropriate use. At a minimum, public cloud use requires regular attention to the status and performance of those CSPs that are being used for levels of processing that are deemed critical.
In most ways, the control of IaaS-based services follows patterns that parallel traditional in-house computing. Although the control technologies and some of the techniques may be unique to virtualized public cloud environments (see "Best Practices for Securing Workloads in Amazon Web Services" and "Implementing Effective IaaS Cloud Security in Microsoft Azure" ), successful use of IaaS still requires attention to architecture, coding practices, testing, change management and vulnerability management.
Organizations that have not fully explored the implications of SaaS use often make the mistaken assumption that the majority of security-relevant tasks are under the control of the provider. The SaaS provider maintains the operating environment and application, but what is actually done within that environment — especially involving identity access management (IAM) and data protection — is under the control of the customer. Most SaaS applications make it quite easy for individuals to inappropriately share data internally, and, many applications also give individuals the ability to share large amounts of data externally, with little or no authentication required for access.
Effective control over the use of cloud computing is not about saying "no"; it's about having the ability to know what is being done within the public cloud, and being able to provide affirmative answers to questions from managers, board members, auditors, regulators and partner organizations that cloud computing is being used effectively and appropriately, utilizing the innate advantages of the product model to reduce the potential for security incidents (see "Developing Your SaaS Governance Framework" ).

Develop Expertise in the Implementation and Control of Each of the Cloud Models You Will Be Using

IaaS and SaaS require different security and governance skills, and their control requires different tools. In order to ensure effective levels of visibility and control over various forms of externally provisioned services, the organizational strategy for the use of public cloud must explicitly address the reality that different cloud models will have different risk and control ramifications.
IaaS governance and control requires architectural, programming, testing, implementation and change control processes. While the basic framework of these tasks is very similar to the processes and skills used in traditional IT, the professionals completing these tasks will need to learn and develop virtualization and CSP-specific knowledge, especially regarding IAM, OS image management, network connectivity and encryption. For the foreseeable future, organizations that want to use virtualization and other IaaS mechanisms for sensitive use cases will need staff with a sophisticated understanding of cloud-specific security technologies. Tech-savvy individuals with new expertise will be required, either to perform low-level security tasks or to create user-friendly or automated control mechanisms that can function without the ongoing attention of cloud security technologists.
In contrast, the entire SaaS technology stack is under the direct control of the service provider, which means that enterprises that want to govern their usage of SaaS must either rely on whatever mechanisms each SaaS provider makes available or use some third-party product. SaaS security and governance involves the organizational tasks of setting policy and encouraging compliance with those technologies. The controls that can be applied — typically, creating or linking accounts, password maintenance, data access policies, and activity monitoring — are almost exclusively performed through Web-based dashboards and consoles, so SaaS oversight processes are less demanding of technical expertise. The employees managing SaaS processes may be in IT operations, IT security, or even the compliance or privacy function, but they are generally not the same people who are interested in system internals or network protocols.
The aspect of SaaS that requires the highest level of internal technical skill is the integration of different services into common enterprise control planes, providing identity, policy enforcement, monitoring and other forms of centralized control. These are tasks that are most likely to be undertaken by security specialists who have experience in the implementation of identity tools, directory federation and network security mechanisms.
Over time, as SaaS providers continue to expand their APIs, and as the user base becomes more demanding of control, customization and integration, effective utilization of SaaS will require more architectural and coding expertise, or will require accessory products, such as CASBs. As demonstrated by Salesforce and its Force platform, strategically significant SaaS applications will increasingly take on the characteristics of PaaS. The greater the degree of customization demanded by the enterprise, the greater the need will be for individuals who understand the security and control ramifications and interfaces of SaaS platforms. And, of course, if PaaS becomes more common, enterprise use will require technical specialists who are familiar with the specific APIs and conventions of each service being used.

Implement Control Planes to Fight the Complexity of Cloud Diffusion

One of the downsides of the use of public cloud service is that it is innately diffuse, leading to console proliferation and management inefficiency. IaaS becomes complex because the number of workloads can expand indefinitely. SaaS is complex because of the number of providers, with virtually every organization regularly using at least a few dozen externally provisioned applications and the largest of enterprises accessing over a thousand. The "interconnectedness of all things," with a commensurate need for a degree of control over the use of cloud workloads, SaaS, mobility, identity, and other complex and dynamic domains, creates challenges in the establishment of common policies, and in the monitoring or investigation of user activity. Consolidated mechanisms, or "control planes," offering single consoles with an integrated view across multiple public (and likely private) clouds will become increasingly desirable as mechanisms facilitating the full benefit of public clouds, while ensuring that they are meeting regulatory compliance requirements and security expectations.
The foundation for the well-controlled use of external cloud of all types is identity governance and administration. Starting with the integration, or federation, of external clouds with the organizational directory service, and increasingly taking advantage of identity and access management as a service, with authentication as the most important function, identity governance ensures that only the appropriate people are using organizational accounts, and that only authorized users have permission to access sensitive data (see "Magic Quadrant for Identity and Access Management as a Service, Worldwide" ). Control over privileged users is especially important, and should ideally be protected through multifactor authentication and activity logging (see "Market Guide for Privileged Access Management" ).
Although most organizations using IaaS are only using a small number of CSPs, thousands of virtual machines and applications may be in use. Cloud management platforms (see "Market Guide for Cloud Management Platforms: Large, Emerging and Open-Source Software Vendors" ) provide a single point of control over a set of workloads. As the use of encryption grows, cloud key management will become increasingly desirable, and even necessary.
Arguably, SaaS is harder to control than IaaS, because each application comes from a different vendor, with a different set of features, weak spots, control capabilities and administration consoles. No single control plane product will be sufficient for an enterprise's SaaS control needs, at least not during the next several years, but Gartner believes that the CASB will function as the enterprise's security and governance mechanism, providing a convenient point of control for setting common policies across multiple SaaS applications, and a single monitoring point for user activity and usage (see "Technology Overview for Cloud Access Security Broker" ).

Evidence

1 Reports of cloud security failure continue to be conspicuous by their absence from conversations with Gartner clients and news reports. Virtually no mention of public cloud failures appears in prominent studies, such as the annual Verizon Data Breach Investigations Report .






No hay comentarios.

Copyright 2008 - 2016: CXO Community - Todos los derechos reservados. Imágenes del tema de enot-poloskun. Con tecnología de Blogger.