Cloud (In)security: Protecting Your Business Across Multiple Platforms
Depending on how much of a formalist you are, cloud computing (aka network-based computing) was invented in the 1960s by Joseph Carl Robnett Licklider who was working on Arpanet or in 2006 when Google CEO Eric Schmidt used the term “cloud computing” at an industry conference. It turns out, 2006 was also the year that Amazon Web Services (AWS) announced its EC2 and S3 services for anyone wanting to rent compute and storage. What we refer to as “cloud computing” today is some amalgamation of what the industry calls infrastructure-as-a-service (IaaS) and platform-as-a-service (PaaS).
Software-as-a-service (SaaS) represents the ability to rent access (via the internet) to an application that does not require the end-user to supply any compute or storage. SaaS predates the later genesis of cloud computing in 2006, with early examples including application service providers (ASPs) in the 1990s and Salesforce.com (the poster child of SaaS) which began offering CRM software under a SaaS model in 1999.
What cloud computing and SaaS have in common is that both involve organizations placing their data (and sometimes their applications) on someone else’s storage and compute. This fact has led to the creation of a “shared responsibility model” for cybersecurity, in which the provider of a service maintains security for the infrastructure or application (the hard, crunchy exterior) and the user of the service manages the security of the application and data (the soft, gooey interior). While this approach sounds logical, it ignores the complexity and immaturity of these cloud ecosystems.
Cloud service platforms and major SaaS offerings are complex beasts. The complexity of cloud service platforms is on the order of full-blown operating systems. SaaS offerings, such as Salesforce, are a rung below that, but they are still quite complex in their own right. And in the age of Agile development and CI/CD (continuous integration and continuous deployment), each of these cloud ecosystems is evolving far more rapidly than operating systems of years past.
Historically, attackers have thrived in environments of complexity and rapid change. Defenders have struggled to correctly array their defenses and to keep pace with churn. Overall, the major cloud ecosystem vendors have done a credible job of hardening their own infrastructure and applications, but the security posture of more marginal SaaS vendors is far more uneven.
Most cloud-related breaches to date have implicated the manner in which organizations have configured and used the cloud offerings. Cloud storage services that have been left open (either accidentally or due to willful ignorance) feature in many press clippings about large-scale data leakage. But while it is easy to blame the victim, the cloud ecosystem vendors bear not insubstantial responsibility for creating offerings that require a fairly high level of clairvoyance to secure.
Given the slow pace of innovation at larger and more established cybersecurity vendors, a large number of security startups have jumped into this chasm. The lack of maturity in cloud ecosystems has actually made the work of these startups more difficult, as the cloud platforms weren’t built from the ground up to provide the kind of telemetry that enables effective security monitoring. And while traditional operating systems suffered from this same shortcoming in the early days of hacking, they evolved with companies getting serious about security when focus (and revenue) shifted from consumers to business customers.
This article originally appeared on fobes.com To read the full article and see the images, click here.
Nastel Technologies uses machine learning to detect anomalies, behavior and sentiment, accelerate decisions, satisfy customers, innovate continuously. To answer business-centric questions and provide actionable guidance for decision-makers, Nastel’s AutoPilot® for Analytics fuses:
- Advanced predictive anomaly detection, Bayesian Classification and other machine learning algorithms
- Raw information handling and analytics speed
- End-to-end business transaction tracking that spans technologies, tiers, and organizations
- Intuitive, easy-to-use data visualizations and dashboards
If you would like to learn more, click here.