THE BLOG
01/29/2016 12:07 pm ET | Updated Jan 29, 2017

Why the Cloud Has a Security Problem

The list of high-profile security breach victims reads like a Who's Who of famous companies: Target, Home Depot, J.P. Morgan, American Airlines, Hilton Hotels, Sony, Neiman Marcus, Staples, Time Warner Cable and (ahem) Ashley Madison. An alphabet soup of government agencies got hacked too: IRS, OPM, NOAA. And all this in just the last couple of years.

Hackers seem to be having a field day breaking into networks and stealing the private information stored there. In fact, a study by insurance giant Munich Re last spring found that nearly 70 percent of businesses had experienced at least one hacking incident in the previous year.

The attacks have coincided with soaring adoption of cloud computing. In a rare justification of the hyperbolic term "revolution," the cloud is altering the way nearly every organization approaches IT. Thus, it's easy to assume that hackers are increasingly targeting cloud infrastructure.

I don't really know to what extent cloud technology truly is at fault for the headline-grabbing cybercrimes of the last two years. But the attacks have rightfully turned up the heat on a simmering debate over whether data stored in the cloud is less secure than that kept "on premise" -- behind the firewall in an organization's data center. In fact, survey after survey shows that security is the single largest factor hindering faster adoption of cloud computing.

So does the public cloud have a security problem?

I believe it does.

For one thing, it's simple math: Clouds have grown so huge in scale compared with on-premise data centers that it makes sense they'd have a bigger bulls-eye on them. "Cloud attacks are going up simply because that is where the money is," Kevin Curran, senior member of Institute of Electrical and Electronics Engineers (IEEE), told the tech news outlet Computing.

But there's a deeper problem. I'm seeing some situations in the industry right now where speed is taking precedence over security as organizations push applications and data to the cloud. They're moving so fast that they're not always sufficiently sweating all the security details.

That's either because they're bypassing traditional corporate security processes, which were developed in and are more geared to the slower pace of the pre-cloud era, or because they simply lack qualified developers, engineers and other experts who know how to make cloud-based systems secure. Many of the infrastructure technologies that underlie the cloud, such as OpenStack, Docker and Apache Mesos, are relatively new and standardized security methodologies around them are a work in progress.

In October, U.K.-based telecom giant BT Group went so far as to say it will switch to a different option to deliver cloud services unless OpenStack can address its concerns regarding six areas, including security, according to a report in Light Reading.

Security threats coming from "north-south" -- that is, in and out of the cloud -- are typically protected by the "DMZ," a secure buffer that separates a company's internal network from the Internet and other perimeter devices. However, security at the edge of the cloud is not enough given that 80 percent of traffic stays within the cloud.

This so-called "east-west" traffic within the cloud typically lacks the same level of protection. If someone breaches just one virtual machine or Docker container (a piece of software for application development), the vulnerability can spread like wildfire across the enterprise.

It's important to remember that threats to a company's cloud don't come just from the outside; they also can be vulnerable to insiders.

Disgruntled employees gaining access to confidential data has always been a potential problem for companies, but the cloud makes it worse because it's easier to destroy the entire cloud environment, and quickly, rather than one isolated part of the network. The same goes for unintentional errors caused by network administrators, say the misconfiguration of a firewall.

Fortunately, new technologies, practices and initiatives are coming along to help double down on cloud security.

A practice known as micro-segmentation is getting increasing attention in many organizations. This helps segment the network limits from an intruder and contain a breach before it harms the entire network. By applying forensics tools, it is then easier to diagnose the impact of post-breach.

Another, even more proactive approach is using software (such as Open vSwitch) to enforce security using policies. This allows every virtual machine in a network to have its own security -- managed at the VM level, rather than at network level. This ultimately means an application can have its own individual security level -- something impossible from a traditional network security perspective.

In addition, the OpenStack has a project, Neutron, working on better cloud security management.

The important point is that no cloud strategy is complete without rock-solid security execution. Organizations may be moving quickly to the cloud but skimping on security as they do so can be a terrible and costly mistake.