Difference in degrees, not kinds
There is always someone in the room who makes a buzz about cloud security and who is even more surprised when I state that cloud security is not so different. Don’t get me wrong, cloud security is important, but it is not too different from non-cloud/on-premises security.
To elaborate, security can physically only be implemented “on” the infrastructure, endpoint, application, and data layers. Hence, cloud is none of them. Or put differently, cloud is just another computing resource. And just as with non-cloud/on-premises computing, security solutions can be implemented on all these physical layers.
Of course, this discussion can easily be settled by distinguishing between physical and logical types of security layers. So, taking just identity and access management and a cloud security as an example, these concern a logical layer and not a physical one. But considering cloud from a physical point of view helps in two regards:
- It gets rid of the conviction that every business process you move to the cloud is insecure and that you are out of security options.
- It enables a critical evaluation of your currently-owned set of security services and products. These may not yet be fully implemented/deployed, and/or not optimally combined with the other (security) services and products you already have but could provide added security value when fully optimized. And this inherent added value may be equivalent or even beyond the state-of-the-art, new security services and products that are being offered to you by your vendors.
Coming to the first point, it’s important to realize that you will still have the same physical layers for building your security solutions as in a non-cloud/on-premises computing scenario: infrastructure, endpoint, application, and data layer. The main difference is that cloud computing shifts the focus from you being in control of the technology yourself to being in control through several processes built on a basic level of trust in your service provider. These processes are: risk management, security assurance (align security controls and requirements with the cloud provider) and security compliance (check on compliance with your security requirements through instruments such as audit, pen-testing, and KPI monitoring and reporting). The degree of shift is, of course, influenced by the cloud service model (IAAS, PAAS, SAAS) and cloud deployment model/type (private, public, hybrid, community) in a specific situation.
Turning to the second point, let us consider, for example, Cloud Access Security Broker (CASB), which is often positioned as a complete new security solution. Yet, in essence, it’s an access management type of security solution that enables security solutions, such as data loss/leakage protection (DLP), to become effective again following de-perimeterization, as a consequence of adapting cloud computing and BYOD. So, logically, CASB can be seen as a Policy Enforcement Point (PEP), which requests (and enforces) decisions from a Policy Decision Point (PDP), such as DLP, data encryption, tokenization, PKI, cloud activity monitoring, malware filtering, and access and authentication management security solutions. It is possible the integrated DLP solution that comes with the CASB solution is needless, since you already have a DLP solution. It is also worthwhile investigating if you can achieve the same results based on your current access management solution and DLP solution. So, my point here is that you don’t always need to invest in the latest all-singing, all dancing product to stay secure because you may already have elements of it that just require integration.
Think out of the box
To sum up, don’t be too rigid when it comes to assessing the risks of business cloud services. A lot of security options are available for cloud if you are willing to think out of the box. In a business highly dependent on interorganizational collaboration, cloud can even be a security enabler. Consider, for example, federated identity management, which enables organizations to retain control over their identity, authorization, access, and authentication key-security processes while providing efficiency regarding operations. In other words, focus on enabling your business with security and prevent being perceived as a business disabler, which in the end simply won’t provide the required level of cloud security.
Look before you leap!
More importantly, try to understand what the new security service or product provides to you beyond the face value. You may come to interesting conclusions about your current (security) solutions and discover interesting avenues for cost savings!