Cloud solutions are quickly becoming an attractive option for the enterprise, given their efficiency and scalability. Despite the allure of this shiny new thing, however, security concerns remain. In our September #SecChat, we discussed the current cloud landscape and evolution of cloud security.Our panel of industry experts provided valuable insights on the topic, and encouraged a fast-paced conversation covering various aspects of cloud security. Here are some of the highlights:
Is the cloud inherently insecure?
In response to our first discussion question in which we asked participants whether or not they believed the cloud to be inherently insecure, panelist @LNierat claimed that public cloud service providers are not reliable enough to protect data on their own. Rather, data should be encrypted to increase security.Alternatively, @bsmuir stated that the cloud is not inherently insecure, but it could very well be built upon insecure systems — putting more pressure on an underlying security system. Painting a broader picture of the digital security landscape as a whole, @rickhholland took the approach that everything is, in fact, inherently insecure:
A1: Enterprises shouldn’t rely on public cloud service providers to properly protect them. Data should be encrypted #SecChat
— Loretta Nierat (@LNierat) September 25, 2014
— Brent Muir (@bsmuir) September 25, 2014
— Rick Holland (@rickhholland) September 25, 2014
What are the key ingredients to protecting private and hybrid clouds?
Following the topic of insecurity in the cloud, the focus shifted to measures of private and hybrid cloud protection. @VirtualTal believes three central factors to be critical for protection: vendor selection criteria, compensating controls and training. Following this point, panelist @KingTherapy jumped in to state what certainly wouldn’t work in terms of protection: re-purposing physical security architecture for the cloud.Another unique approach to this question surfaced by @MaryKillelea, who stated that implementing markers for comparison purposes is necessary in ensuring cloud protection:
— Tal Klein (@VirtualTal) September 25, 2014
Re-purposing physical security architecture for cloud will not exploit chief security potential to remove topology limitations. #SecChat
— Jeremiah Cornelius (@KingTherapy) September 25, 2014
#SECcHAT Set up markers for trusted boot and make comparisons on safety based on change or consistency to those markers
— MaryKillelea (@MaryKillelea) September 25, 2014
What can be done to ensure a coordinated approach to server security?
In closing, we asked participants what actions could be taken to ensure a coordinated approach to server security. @securelexicon answered by pointing out a current trend among government agencies — the creation of a unique authorization process. Participants seemed to reach a consensus that a coordinated approach to security involves a good look at the end-to-end processes. @SPCoulson stated that the process of information security starts from the first keystroke of the developer all the way through the end-user’s validation process. Panelist @bcandrew strongly agreed with this point of view:
The current trend is for gov agencies to create their own authorization process based on FedRAMP to minimize cost. #SecChat
— Steven F. Fox (@securelexicon) September 25, 2014
Final A : Sec starts from the 1st keystroke of the dev & ends when the user trys the password 123456 – it is an end-to-end process #SecChat
— Stuart Coulson (@SPCoulson) September 25, 2014
— Ben Andrew (@bcandrew) September 25, 2014
Where do you stand on cloud security? Let us know in the comments. Thank you once more to all who joined our September #SecChat! Check out the full conversation on Twitter by searching the #SecChat hashtag, and to stay plugged in on news of upcoming chats, follow @McAfeeBusiness.