Cloud Security World 2016 finished up on Wednesday evening after two days of conversation around all-things-cloud security. “We’ve seen this before,” was a common refrain, and thankfully attendees have moved past the points of denying the existence of cloud services connected to their organizations and saying that cloud is “the largest” security concern.
Cloud providers may, in many cases, offer better data security for an enterprise’s data than the enterprise itself, and it seems attendees of Cloud Security World have reached a level of comfort with, or at least acceptance of, the ability of many third parties to act as custodians of their data.
That said, no architecture, infrastructure, tool, or technology, in and of itself, is 100% secure; event attendees came, instead, to talk about what methods could be used on their end to ensure data going into the cloud is as secure as it can be, how to monitor cloud systems, how to negotiate and work with cloud providers before the data is transferred or as it’s identified as hosted, and how to adopt new offerings (such as CASB and containers) to help with all of the above.
The take away was that there are no easy solutions, but cloud is now manageable with current technologies and processes. Pete Nicoletti, newly minted CISO at Hertz Global, shared that an inventory of his organization revealed over 3,000 (!) cloud-connected apps and services. The average company, he said, uses more than 1,000. Forward thinking cloud-enabled organizations, Nicoletti advised, would be smart to move from minimal data encryption to encryption by default; from reliance on compliance to a focus on access controls and security intelligence; and away from uncoordinated products and failure to consider a holistic operational impact towards broad-based deployment, placing operational impact at the forefront of the organization’s security strategy.
Josh Pyorre, security researcher at OpenDNS, presented “Adapting the Security Operations Model to How We Work” in today’s cloud-connected workplace. The classic SOC model includes IDS, TVA, analysis systems, SIEM, netflow, logging, incident response, and more. But the traditional SOC, Pyorre explained, is based on disparate systems and too many manual processes. The modern SOC includes monitoring for and managing cloud services, focuses on behavioral analysis, doesn’t run away from BYOD, and puts automation at its center. It adapts to the way organizations are run and how employees work now, and can adapt to the pace at which devices and services are deployed—given the pervasiveness of cloud—in companies’ ecosystems. Attendees discussed leveraging proxy logs and IDS to identify “shadow cloud,” and some recommended the top cloud access security brokers (CASB) as a way to not only identify connected cloud services, but also for API monitoring, securing HTTP streams, and automatic encryption. CASB, as a middle-man of sorts between cloud providers and consumers, also helps SOC operators better assess risk; the more information collected by the brokers, the more they’re able to report on issues, alerts, or vulnerabilities, all of which is incredibly beneficial information for managing a SOC.
A highlight of the event, of course, was keynote speaker Chris Valasek and his talk about hacking a Jeep Cherokee in 2014 with his research partner, Charlie Miller. The two conducted tests to identify software vulnerabilities in the vehicle, then exploited those vulnerabilities to manipulate control of the radio, steering, breaking, and more. While on the surface the talk was focused on IoT and the hazards of embedded hardware and software, CloudSec attendees saw the obvious similarities between it and the increasingly internet connected, interconnected systems on which enterprises run. Device interfaces are becoming progressively important, introducing new vectors for attack. The downstream implications of third-, fourth-, and even fifth-party partners and systems is a growing concern for security practitioners. Contractual agreements, they said, aren’t enough; in the event of a breach or system malfunction, customers won’t care that the primary entity was compromised due to a lack of controls at the provider’s cloud provider’s cloud provider. Continual risk assessment and threat intelligence cannot be the purview of a few, but must be a pervasive element within the security, technology, and business teams together.
Many more great sessions were delivered, the infamous “hallway track” was in full effect, and attendees made new connections within the industry. As a lesson for MISTI, we’ll be looking towards upcoming security events and introducing more interactive sessions. The desire to share collective experience and knowledge was heard loud and clear.
Thank you, CloudSec attendees, sponsors, and presenters for your ideas and insights! We’re looking forward to seeing you at the next event.