One of the biggest impediments to cloud adoption is the threat of data breaches and cloud service abuse. There are no easy way of managing such threats, the measures that you put in place for managing one threat can lead to an exacerbation of another issue
By Mohd Ujaley
When you talk to the CIOs about cloud, the conversation will inevitably move to the subject of security. The truth is that today most enterprises are wary of adopting cloud due to security related concerns. These concerns are based on hard facts—nowadays security breaches are a regular feature. Recently the insurance giant Aetna Inc. announced that the company was going to approach cyber security as one more business risk that needs to be managed, in the same way that they manage fluctuating currency prices or the threats of lawsuits. Companies like Aetna Inc. have started realising that security is no longer just a tech issue, it is a business problem that needs to be managed.
Despite all the risks that are there, the movement towards cloud computing is inevitable. The CIOs realise this and efforts are on for developing better systems through which security can be maintained while also taking advantage of the plethora of cloud applications that have exploded during the last few years. The ability to setup a virtual office in which enterprises have the flexibility to connect with vital applications anywhere and anytime is one of the factors driving cloud adoption on a massive scale. But the security concerns continue to be the major area of concern, whenever vital information belonging to the enterprise gets stored on cloud based hosted systems.
Quest for Secure Cloud
According to a recent report from research firm Gartner, the Indian cloud computing sector is seeing impressive growth and by 2016 cloud based technologies will attract bulk of the new IT spend in the country. The Gartner report also says that cloud adoption is “troubled with security risks” and has special “characteristics” that need a thorough “risk assessment”. The report predicts that by 2018, more than half of organisations will use some form of third party security to help manage their network infrastructure.
The security concerns are the primary reason due to which the enterprises are refraining from putting their vital data on the cloud. The current trend indicates that the enterprises are only putting their non-critical data such as HR and talent management on the cloud. Bernd Leukert, Member of the Executive Board of SAP SE, Products & Innovation, says “You may see companies first putting HR and talent management to the cloud and then there could be gradual move to put sales, marketing and other parts of the business.”
“There is inevitable concern around security with cloud based platform as your data is no longer down the hall but that is unable to stop cloud becoming the preferred consumption model because utility based paradigm offered by cloud has strong economic case,” says Stephen DuBravac, Executive Vice President, Marketing, Security Weaver.
For companies such as FireEye, which deals in the modern day persistent threats, cloud is as an emerging opportunity. “Who could have thought few years ago that the enterprises will put their email into cloud!” says Julie Cullivan, Senior Vice President of Business Operations and Chief Information Officer, FireEye.
She points out that the enterprises must develop a holistic strategy for managing their data centre, cloud and security related issues. “The enterprises must decide in advance what they want to share and put in the cloud,” she adds.
A recent survey by security giant Symantec shows that 89 percent of Indian businesses experience rogue cloud situations, or unauthorised use of cloud services, and over 57% of the businesses have experienced the exposure of confidential information. “It is important for organisations to choose their security frameworks judiciously and work with partners that understand best practices of cloud security,” says Tarun Kaura, Director – Technology Sales, India, Symantec.
Sasha Pavlovic, Director of Cloud & Datacenter Security, Asia Pacific, Trend Micro asserts that security is of critical concern. Security is readily provided by cloud vendors like Amazon Web Services. When you put data into cloud, there is shift of responsibility and pertinent question arises about where to draw the line about the ownership of responsibility. “Sharing security is part and parcel of the industry,” says Pavlovic.
Sajan Paul, Director Systems Engineering, India & SAARC, Juniper Networks, is of the view that the benefits that can be derived from the cloud must always be evaluated in comparison with the security related concerns. “For some organisations giving physical control over to a third party is sometimes challenging – especially in the context of security, but the other way to look at it is that now one has access to the best in class security framework as the capex is shifted to cloud operators,” says Paul.
“Since cloud adoption is inevitable, we have to settle to the fact that it is part of the overall design. One needs to really classify the information to address the impact and risk associated to it. This will allow one to put the right level of security attached to each domain. One must also look at some of the best practices followed in this domain to be above the curve,” adds Paul.
How to Manage Security?
To the question, ‘how to manage security in the age of cloud?’ there is still no clear answer. But that should not come as a surprise if we consider the views of someone like Bruce Schneier, the American cryptographer—“Security is not a product, but a process.” Installing applications and buying security products is not enough, the enterprises must also ensure that there is a clear policy on data sharing and security.
The enterprises cannot afford to rely only on AV systems, Firewalls and other traditional security products to protect their networks. They have to take measures to have the policies and regulations in place to ensure that the movement of data is controlled across the entire chain. “Companies require unified content security solution that incorporates unified content analysis, a unified platform, and unified management,” points out, Surendra Singh, Regional Director, SAARC and India, Websense.
Singh is of the view that the fast evolving malware, blended threats, internally initiated data leakage, and an increasingly border-less enterprise have rendered traditional point product approaches less effective while driving up the cost and complexity system. This ultimately defeats the purpose for which we are having a deployment in the cloud.
With the rise of cloud and integrated infrastructure, there is also change in the way security is viewed. The world is moving beyond firewall to pattern, network perimeter to application perimeter. The old rule of inside-good and outside-bad, and network as a perimeter is diminishing. Pekka Usva, Vice President, Corporate Security Business, F-Secure, says, “With cloudification, data is moving from own premise to cloud, so security must evolve and should follow the data.” He goes on to say that the IP address based reputation is not effective, signatures are not able to stop new attack vectors and there is no coherent intelligence sharing.
No Silver Bullet, Follow the Data
The enterprise mobility trend has created multiple endpoints. In order to account for the large volumes of data storing and transferring through multiple control points, security solution providers have to redesign their offerings to thwart the advanced persistent threats—they must manage the access points. DuBravac of Security Weaver says that people now need to take broader look at identity management than they had in the past; they need to look at the access to Big Data rather than looking at predefined access route stranded in the static.
While the promise of network security-based security solutions as the answer to advanced threats gains increasing attention, IT departments are still left grappling with massive amounts of incidents, with too many false positives and a laundry list of manual processes to be tackled without the staffing and skill sets needed to win. This often leaves the organisations exposed and vulnerable. Integrated security solution backed with intelligence is necessary for enabling the organisations to keep up with the incoming attacks.
LNV Samy, Vice President, Engineering, Global Technology Centers – India, China, and Australia, Technology Products Group, Unisys says, “Ultimately, organisations must move to a more holistic approach to security that takes into account multiple and mobile endpoints using a combination of technology, policies, and education, and which secures the data itself. It is no longer sufficient to focus on securing the perimeter.” He is of the view that from a security standpoint, multi-factor authentication is the way to go while taking measured strides towards an integrated digital footprint across the spectrum.
With BYOD gaining momentum, organisations are struggling for strategies to protect their vital data and address compliance without disrupting employee productivity. The system administrators are compelled to deal with diversity of devices and operating systems. Dirk Kollberg, Senior Security Researcher at GReAT, Kaspersky Lab points out that most often companies approach IT security as an egg shell concept. The egg shell is hard on the outside and it keeps the contents of the egg isolated from the outside, but once there’s a crack, even a very little crack or hole punched in the shell, all the contents will get leaked on the outside. The way corporate networks are secured is mostly the same. Even though it’s hard to penetrate such networks from the outside, it is not impossible. He further adds that there will always be vulnerabilities and no system is 100% secure. He recommends use of proven security solutions and regular security audit of the IT infrastructure.
Most of the enterprises are using hybrid cloud systems, where they have few applications running in the hosted cloud and few in their on-premise systems. This creates another unique set of challenges for the enterprise and the security vendors. Tim Alsop, Managing Director of CyberSafe, a UK based company, which provides authentication key for SAP applications, says, “Enterprise needs to know what is going inside and outside of their data center or cloud.” He further adds that one way out is to bridge the gap between cloud security and on premise system security.
On the other hand, Murli Mohan, Director & General Manager, Dell Software Group, says, “We can’t regard any particular solution as the silver bullet.” He recommends that the enterprises should develop a data security plan, which addresses every possible security related concern.
Growth Expected in Cloud Security
Companies are realising that they can’t do without putting their operations on the cloud, but If an attacker gains access to your credentials, he or she can eavesdrop on activities and transactions, manipulate data, return falsified information, and redirect clients to illegitimate sites. It is the need of the hour to invest in cloud security.
In the report titled “Global Cloud Security Market till 2018” by Research Fox Consulting, an international market research company, the global cloud security market was valued at USD 3.47 billion in 2013 and is estimated to grow at a CAGR of 16.8% till 2018.
According to Gartner, the Indian public cloud services revenue will reach USD 838 million by the end of 2015—this is an increase of almost 33%. Spending on cloud management, security and PaaS will both grow 35.4% to USD 56.7 and USD 84.6 million respectively during the same period.
The Gartner report also states that the Indian players are investing thousands of crores to improve their infrastructure as well as niche services capabilities to meet the rising demand while the international players too are investing in data centers in India.
“We expect the adoption of cloud to continue to drive growth in the Indian IT space. The increase in the number of companies adopting cloud is a clear indication that they have begun to understand the significance of cloud for business growth. While security will be a constant challenge, that will play a minimal role in accepting cloud provided companies understand their needs to move to cloud and implement efficient and updated security policies to protect the data. Cloud is here to stay and the adoption will only see exponential growth,” says Samy of Unisys.
Symantec sees healthy growth in the Indian cloud security market. Kaura of Symatec says, “From Symantec’s pointof view, in 2015, we expect to see more and more data hosted in the cloud but as this move occurs, businesses will need to take a closer look at data governance to ensure that their data is cleaned before it is hosted on the cloud. Legacy data left unmanaged will continue to accumulate and present a persistent challenge for businesses.”
“The internet connects with billions of customers around the globe and if you have a new idea, it doesn’t take long to make an app. The way we use the internet changes all the time. Mobile phones become more and more powerful and we start to connect everything – think about fridge, Smart-TV, Voice Over IP Phone and more. While this offers new business opportunities, we need to think about our assets and those of customers. Security is not a profit center, but it is crucial for preserving reputation, protecting customers’ data and ensuring growth,” says Kollberg of Kaspersky Lab.
If you have an interesting article / experience / case study to share, please get in touch with us at [email protected]