You are here

Cloud providers step up security tools: Are they up to the job?

public://pictures/Christopher-Null-CEO-Null-Media.png
Christopher Null, Freelance writer

Data breaches have become a recurring nightmare for enterprises and consumers alike. And the security outlook isn't likely to improve anytime soon, with at least one industry report forecasting a range of new cyberattack vectors in 2019.

But enterprises have a new ally in their efforts to defend their data. The major cloud providers—Amazon, Google, and Microsoft—have jumped into the battle, making the tools and technologies they use to protect their data available to the organizations that use their platforms.

Here's a look at what provider-based cloud security tools offer and how your organization can take advantage of them.

[ Digital transformation can be a costly failure without proper controls. Find out how IT4IT value streams can help in this upcoming Webinar. ]

Shared security

Cloud providers and their customers have long operated on a shared responsibility model: The vendor provides the security "of the cloud"—the hardware and software—and educates the customer about its accountability for the security of their efforts "in the cloud"—their data.

This arrangement has brought substantial benefits to enterprises that embrace it, said Jack Danahy, senior vice president of security for Alert Logic. The foundational security of the physical infrastructure, the network, and the compute hosts—traditionally the concern of the customer's security and IT teams—is instead managed by dedicated experts at the cloud provider.

And the provider's articulation of risks and responsibilities within the cloud platform is typically better and more prescriptive than most organizations would develop organically.

Mark Nunnikhoven, vice president of cloud research at Trend Micro, said that more cloud-native choice is better for cloud builders.

"These services help customers secure their cloud deployments in a manner that reduces the effort required to maintain their security posture."
Mark Nunnikhoven

Now, to further assist organizations with their end of the shared security responsibility, the major cloud vendors have introduced a host of new tools to help manage data on their platforms.

Over the last year, Google announced a range of security enhancements for its Google Cloud Platform that help reduce the risk of data exposure (the DLP API), provide access auditing (Access Transparency), and protect against DDoS attacks (Cloud Armor), all centralized through the Cloud Security Command Center (CSCC).

Amazon Web Services and Microsoft each have similar offerings that augment the security they've built into their clouds, that's delivered centrally through the AWS Security Hub and Azure Security Center, respectively.

[ Related: 5 cloud security myths: Get past them to lift your organization's game ]

Standards and visibility

David Gahan, global manager of Fortify On Demand DevSecOps for Micro Focus, said what's great about this approach is that it focuses on two key areas: standards and visibility.

With the vast number of compliance frameworks available, having a known starting point for leveraging a cloud vendor's offerings helps already overwhelmed security organizations keep up with the speed of cloud adoption while meeting today's high standards for protection. An organization’s ability to see and report on its compliance posture is critical.

"The days of trusting an enterprise at its word that it’s protecting your data are over. More and more customers require detailed proof of those controls as part of the cost of winning their business. Anything that lowers the burden of doing so for a security and compliance team is a win."
David Gahan

[ Looking to bring innovation into your enterprise? Learn from others' Enterprise Service Management (ESM) implementations—and get recommendations for deployment. ]

Cloud security considerations

Regardless of which cloud provider you work with, you should follow a few basic guidelines to successfully get the most from its security tools.

First, Danahy said, integrate security management staffing and priorities into the decision making process for moving applications and workloads to a cloud provider. This is not a simple lift and shift, he said, since the tooling and the challenges will be different.

Also, you need to make sure the organization has a firm understanding of the shared responsibility model and how to apply it.

"Organizations can't be tempted to feel that they are putting their workloads into magical containers that can somehow defend them against their own configuration, construction, or management errors."
Jack Danahy

You still need to apply good security practices within the cloud, including understanding and ensuring secure configurations of services, testing the deployment of applications, timely patching of images, and monitoring of virtualized applications and traffic for attacks.

[ Related story: How to maintain security compliance in the cloud ]

Understand the benefits and challenges

It’s also essential, Nunnikhoven said, to understand the goals and limitations of each specific security offering. Innovation is rapid in the cloud, and this brings with it both benefits and challenges. One of the key challenges: Some services might not have the same feature set as a third-party security service.

"The good news is these offerings often catch up quickly. That means you need to constantly stay abreast of what is happening with these services and the other cloud services available in the environment you're using."
—Mark Nunnikhoven

Once you have a grasp of the security controls on offer, define the expected outputs from whichever ones are to be put into place, Danahy said. "Is there a need for compliance reporting, a rapid-response team, or monthly trend reports?" he asked. "Especially in environments where multiple providers are present, you have to ensure that the team can generate the reporting and visibility that’s expected."

Finally, make sure you know precisely which responsibilities lie with the cloud provider and which with your team before you deploy.

Most providers will offer you free tutorial sessions or other learning opportunities ahead of a rollout, Gahan said, and it's worth taking advantage of them so you aren't learning how the tools work while you’re trying to implement them.

"Be consistent in your implementation methodology, but flexible in your thinking."
—David Gahan

Stay vigilant

Though your cloud provider can help harden your protection, that security perimeter extends only so far. Your customers will still hold you accountable for the security and stability of the products you offer. It's critical to stay involved with your provider and challenge them when you see something that could potentially put your business at risk.

Gahan also suggested you stay on top of changes in the core products you use, to make sure your level of threat protection remains as high as possible.

"Little product changes in the cloud—for good or ill—can have massive impacts on the security of your data. You have to stay ahead of the curve."

[ Ready to manage your hybrid IT future? Download Crafting and Managing Hybrid Multicloud IT Architecture to get up to speed on unified infrastructure management. ]