2015 CSA Summit Highlights Cloud Security Threats

One of the highlights of every RSA Conference is the Cloud Security Alliance (CSA) Summit, which is traditionally held on Monday morning of the RSA Conference. This year’s summit was well-attended, with IT security professionals packing the hall to hear from a variety of cloud security experts.

There were several presentations throughout the morning, but two in particular stood out for me: A panel on the top security challenges facing enterprises who adopt the cloud, and another panel that provided feedback on cloud security from a number of the largest cloud service providers, including Amazon, Google, and Microsoft.

2015 CSA Summit
The “Top 5 Security Challenges Facing the Cloud Adopting Enterprise” panel at the CSA Summit 2015. (Photo: Jeff James)

Security challenges for companies that adopt the cloud

In a wide-ranging discussion about the top security challenges facing businesses who adopt the cloud, six security experts highlighted five cloud security challenges that all IT professionals should be mindful of, namely:

  1. Data Security
  2. Navigating Global Trust Issues
  3. Shadow IT
  4. Advanced Attacks & Cyber Conflicts
  5. Provider Visibility & Translating Enterprise Requirements into the Cloud

When it comes to overall data security, John DiMaria of the British Standards Institution suggested that security admins needed to focus on an overall approach to security rather than on traditional perimeter defense. “[Sometimes] you can be too reliant on technology…and what I’d call an ‘eggshell’ protection model: The exterior is hard, but the internal is very soft,” DiMaria said. “There’s a fundamental difference between IT security and information security.”

The "Top 5 Security Challenges Facing the Cloud Adopting Enterprise" panel at the CSA Summit 2015.
The security challenges panel at CSA Summit 2015. L to R: Chenxi Wang – CipherCloud, Jay Chaudry – zScaler, Sol Cates – Vormetric, Rehan Jalil – Elastica, Krishna Narayanaswamy – Netskope, and John DiMaria of the British Standards Institution, moderator Jim Reavis (Photo: Jeff James)

Chenxi Wang, the VP of Cloud Security & Strategy for CipherCloud, said that data loss prevention (DLP) systems could use improvement. “Traditional DLP systems don’t work, and this remains a huge data loss problem,” Wang said. “Technical solutions that solve narrowly-define problems [aren’t the answer]…we need to focus on the content.” Jay Chaudry, the Chief Executive Officer and Founder of Zscaler, agreed that there was “…no one answer to the DLP problem.”

IMG_4250 copy
The enterprise lessons panel at the CSA Summit presented the provider perspective on cloud security. (Photo: Jeff James)

Enterprise Lessons: The Cloud Provider Perspective

With an increasing number of IT organizations moving workloads into the cloud, the state of cloud security is becoming increasingly important. Getting the perspective of cloud providers on the state of IT security was the focus of the last panel of the conference, which featured executives from Microsoft, Google, Amazon, Rackspace, and Dropbox.

IMG_4252
The cloud provider panel at CSA Summit 2015 (L to R): Brian Kelly, Chief Security Officer, Rackspace; Patrick Heim, Head of Trust & Security, Dropbox; Eran Feigenbaum, Director of Security, Google for Work, Google; Jerry Cochran, Principal Security Engineering Manager, Microsoft Office 365; Chad Woolf, Global Risk and Compliance Leader for Amazon Web Services. (Photo: Jeff James)

Improving Cloud Security: 2FA, Log Everything, and There are no Silver Bullets

One of the consistent themes mentioned by all of the panelists is the importance of users turning on two-factor authentication for users accessing cloud services. “User authentication is still a big problem,” said Eran Feigenbaum, the Director of Security for Google for Work for Google.

Patrick Heim, the Head of Trust & Security for Dropbox, suggested that IT administrators should “…turn on two-factor authentication for everything you can” and suggested that bad actors trolling for cloud service user credentials had almost reached an “epidemic level.”

Another step that all the providers urged admins to take was to turn on logging, which provides a wealth of information about who is accessing what files, when access is being made, etc. In nearly all cases these logging features are free and readily available, but not all cloud service users may know about them.

IT managers were also urged to move away “…from the chaos…” by getting a better understanding of what cloud apps their users are truly using, and to recognize that a “silver bullet” solution that solves all cloud security challenges simply doesn’t exist.

Is the Cloud the Best Place for Important Data?

One of the most interesting discussions came when moderator (and Cloud Security Alliance President) Jim Reavis asked the panel if the “we’ll never put some stuff in the cloud” philosophy followed by some IT managers was still relevant.
Patrick Heim from Dropbox suggested that modern cloud services were analogous to public power plants that emerged in the early 19th century, and argued that IT services were moving toward a future where they would be treated like public utilities, not unlike the point of view espoused by author Nicholas Carr in “The Big Switch.”
Chad Woolf, the Global Risk and Compliance Leader for Amazon Web Services, said that “…eventually the cloud will be a better place for regulated and sensitive data…” and stressed that large cloud providers had established processes and procedures for logging activity, providing physical security for data, and had tested and proven approaches to handling secure data that would eventually make them the location of choice for regulated and sensitive data.
Jerry Cochran, the Principal Security Engineering Manager for Microsoft Office 365, suggested that as IT managers became more familiar with the level of security that cloud providers offer, they’d feel more comfortable with moving services to the cloud. “[All of the major cloud providers] have key management, and more [security] features are being announced. As you get more control, the fear [of putting sensitive assets in the cloud] subsides.”
Brian Kelly from Backspace provided some of the more colorful comments at the panel session, and suggested that IT managers needed to “…start treating your servers like cattle and not pets, because those days are over. The ranchers [cloud service providers] are going to feed and water those cattle for you.”