I’ve had a number of conversations with customers and prospects about cloud security recently and have been struck by how divergent people’s views are. Invariably, they fall into one of two camps. One camp, the “server huggers,” thinks the cloud is totally insecure because it is out of their control. These are usually IT people who have spent the last ten years learning the lesson that no vendor can be trusted and convincing themselves that the security requirements of their business are completely unique and unfathomable to anyone on the outside. The other camp, the “cloud hippies,” think that the cloud inherently makes everything good and that by moving apps and functions to the cloud, everything will just work out. For cloud hippies, security is for paranoid people and anachronistic Blackberry users.
The reality is that both camps are right (and wrong). The server huggers are right in arguing that cloud security matters and that the need to take responsibility for it. If your product designs, marketing plans, customer data or financials are leaked, it’s a huge problem. And whether the leak is your fault or not, it’s ultimately your huge problem because it’s your data. The cloud hippies are also right in that much of what you do when you roll your own solutions can be done ten times better by a service provider using shared infrastructure and who’s sole business is providing that service.
The key to cloud security is that everyone needs to do her part and not try to do things that aren’t. It all comes down to roles and responsibilities.
What’s your cloud provider’s responsibility?
First, the obvious stuff: Any cloud provider you use needs to secure its infrastructure. This means doing everything you know about, and doing it right: firewalls, IDS, encryption, redundancy, monitoring, etc. Policies and procedures for data access and change control should be in place. The people should be experts. When you go cloud, the standard for security should be what you want, not what you could do yourself.
Then there’s the less obvious stuff. Cloud providers need to design their features for both ease of use, and also for security. In the old way of doing things, software products provided features and you turned them on in ways that fit your homegrown security model. When you use Software as a Service, the options for security customization are less extensive, and rightly so. That means that the cloud provider needs to design their product so that it is more natural to use it securely than not.
But here’s the tricky part: Every cloud provider is going to tell you that they do all of this, but it’s not always true. Sorting the marketing fluff from reality and holding your vendors accountable is ultimately something you need to do yourself.
What’s your responsibility?
First, you need to select vendors based on security as much as functionality and cost. The only way to do that is to understand what they’re doing and evaluate them based on objective criteria. This is getting much easier these days with the transition to SSAE 16 SOC 2 and SOC 3 certifications. Those certifications provide a good common baseline to measure providers against and to help pull the curtain back on what your vendors are doing. You can use those certifications, architecture diagrams and other documentation to start having a meaningful discussion with your cloud providers on how they manage risk and ensure security. You should walk away from that conversation impressed. If not, you should walk away nervous.
But unless you’re high profile enough to become the target of a group like Anonymous, most attacks against you will target your people more than your infrastructure. Here are a couple examples of ways we’ve seen apps get compromised:
- An ex-employee does not have all of his account shut down
- Users are tricked into giving away their password with a targeted phishing attack
- A non-business app gets compromised, and your employee uses the same password for that app and his email
- Someone travels to China and ends up with malware on his desktop
After picking the right cloud providers, your second responsibility is to take ownership of preventing these kinds of attacks. Set up policies and procedures for onboarding and offboarding employees. Ask yourself the questions: “Is it possible that an ex-employee still has access to any of your apps?” “Did I remove access for existing employees when it is no longer needed?”
Educate your employees on what the threats are and give them simple ways to protect themselves and your company. Make sure they know that using the same or similar passwords for work and personal apps is very risky. Instill a bit of common sense so they don’t leave laptops unattended and call your helpdesk immediately if they loose their smartphone.
While it’s important to be clear about who can do what to secure the cloud, it’s also important to realize that the net result is almost always much better than what the server huggers can cobble together on-prem. The key is that cloud services are not software. In the end, if you go cloud, your goals become aligned with your vendor’s. If your CA SiteMinder gets hacked in some way, you blame your app guys, your security guys or your network guys. If Okta or any other cloud IDM get’s hacked, you’d fire us. While it’s ultimately your data that needs protecting, no cloud provider can treat security as someone else’s problem, even for the aspects that are out of their control. Because of this, good SaaS products are designed in a way that makes security natural.
At Okta, for example, we’ve integrated self service multifactor authentication to help protect against password attacks. We provide simple, secure password policies that we know work. Our product makes it easier to access app securely, with a single credential, than the old insecure way with dozens of passwords. And for admins, we provide automated account deprovisioning with clear auditing and reporting to show you who has access to what applications.
We get how important security is — for our service and for the cloud in general. We also get that we’re here to speed cloud adoption by making it easier. As a cloud service, our goals are completely aligned with our customers in this area. We operate our service at the highest standard of security. We also build our product in ways that makes it easier for customers to be secure than not. Call us cloud huggers, but it seems like the perfect compromise.