Do you think cloud security concerns are generally overblown?
Many people incorrectly assume that cloud security concerns are overstated. In fact, the concern is very real, but not for the reasons most people think. Most major cloud providers provide extensive security controls, often beyond those of the best corporate data centers, but the virtual cloud instances within the cloud are another story. Customers are responsible for providing security for these virtual servers, which is where security generally breaks down. Some users incorrectly assume that security of virtual servers is the responsibility of the provider, which leaves them exposed when basic security controls are not implemented. Others fail to realize that very few existing security tools were specifically designed to work within the virtual servers in the cloud until it’s too late.
Adopting cloud services does not automatically make you more or less secure. However, this does not — and should not — stop people from moving into the cloud. Building on the strong foundation of cloud platforms, businesses can in fact achieve higher levels of security than they could in their own data centers. But to do so, they must rethink their approach to ensure the tools they use for cloud security are up to the task, and to ensure that every layer of their application stack is protected – from the web application code, to the cloud servers, to the virtual networks these servers use for communication.
What are the top threats to cloud security today?
Our research shows that the risks affecting the cloud and on-premises data centers are converging. There are very few threats that specifically target cloud deployments, and there is a good reason for this – security flaws in web applications have historically been one of the biggest areas of exposure and moving an application to the cloud doesn’t change this fact. In other words, businesses generally have not really done a good enough job with securing web applications to motivate hackers to change their tactics.
The best way to mitigate risk is ensure that security is built into the cloud deployment from launch date and the technologies used are natively built for the cloud. Far too often, people attempt to deploy security technologies designed for on-premises data centers, which focus on endpoints more so than applications, and quickly realize they don’t quite fit the cloud. In most of these cases the business ends up relaxing its security requirements, and as a result the newly deployed cloud infrastructure is more exposed than it was on-premises. Cloud security should be contemplated as one of the design considerations and be embedded into the deployment from day one in order to minimize risk.
What's your take on businesses increasingly placing their trust in cloud providers with infrastructures located outside of the United States?
This is far from a new trend, but one that has been accelerated by the disclosures of widespread government surveillance. The important thing to remember is that this is not a United States issue. Multiple governments around the world are working in concert to ensure they have visibility into Internet communications, and the concern remains real no matter where your data resides.