Cloud: the security boondoggle
Cloud will require a brand new security architecture, experts at Help AG say
The last few years have seen a dramatic shift in cloud uptake in the region, with customers moving from an affirmative “no” to a “maybe” and then a definite “yes” within the space of a few years.
For security service providers such as Help AG, this meant having to adapt to support customers with an increasing appetite for cloud. And this required creating a brand new architecture for securing cloud workloads, said Nicolai Solling, CTO at Help AG.
There are fundamental challenges with cloud platforms, Solling observes. The first one is the apparent loss of control of data and corporate IT assets. Second are the numerous technical issues because cloud fundamentally changes the way security is handled.
Cloud also changes how cybercriminals operate, Solling said. Granted, SaaS platforms, especially the major ones such as Office 365, are fundamentally secure. But attackers are not deterred by this-they merely switch to a different attack model. “So what clients need to be aware of is that SaaS, IaaS and PaaS just create another set of challenges that we have to deal as part of our security plan. And that’s what it was essential to address cloud security with a specific architecture,” Solling said.
This led Help AG to create a cloud security blueprint, built from the ground up.
The blueprint is based upon Help AG’s own experience in moving to the cloud, Solling said. “Like any other organisation, we are heavy users of IT ourselves, and we face the same security challenges. When it was our turn to adopt cloud services, we identified key challenges that come with securing cloud architectures, which led us to develop relevant technical solutions for that.”
The first challenge is that the identity of the user is under increasing pressure than ever before. When faced with a relatively secure architecture such as cloud, the default option is to go for the weakest line- the end user, Solling observes.
The other challenge is how to secure endpoints that have to ultimately communicate with cloud platforms. “Realising that endpoints are at the forefront of cyber attacks, we needed to figure out how to secure them. We put out the challenge to our ethical hackers –our penetration testing teams- to stress test our systems. Acting as a normal attacker would, they tried to elevate their rights on the machines. The report the hacking teams came back with helped expose our weaknesses within our network, against which we developed solutions to fix,” explains Solling.
“We figured out that securing endpoints goes beyond technology. It is a combination of technology and configuration of the endpoints. An effective cloud security strategy must then involve endpoint security,” said Solling.
The third aspect of the blueprint is confidentiality and control of data. Moving to the cloud means putting data onto third-party environments. But wherever that data sits, the organisation still needs technical control of the confidentiality of that data. Solling cites a not too uncommon example of an organisation that decides to move its email service to the cloud. At some point in the future, they choose to migrate to another email cloud solution or perhaps even push it back on-premise. “With all the movements, you need to make sure that the confidentiality of the data stays robust. That led to a rethink of how to use encryption more widely than in the past, including how to extend encryption to workloads hosted on cloud services,” Solling observes.
The result is a set of technology tools and capabilities that provides Help AG with visibility around cloud and the vulnerabilities therein, and then, depending on whether it’s a SaaS or an IaaS or PaaS, the kind of approach that is required. “Luckily a lot of our vendors are also thinking about cloud, and have come up with solutions specific to cloud,” said Solling.