Few would debate that cloud security was in the forefront of many conversations at RSA. The concern over securing the inevitable move to major cloud deployments was evident in the over-capacity Cloud Security Alliance meeting, conference presentations, vendor buzz-word bingo, and serious private conversation among CISO and their peers.
While most of the conversations were about measures that can and will be needed to protect data and applications hosted in or from “the Cloud”, there was little discussion about what could be done to test and verify the security of hosted applications and off-premise IT systems. This struck me as odd. Since there is so much hand-wringing about cloud security, isn’t a logical response to do some cloud security testing to ease the fear? If one is worried about something, often the first step is to conduct a test; do some diagnostics. When the TSA wants to know if their security provisions are working, they attempt to breach those measures by sending covert agents armed with forbidden substances and weapons through airport checkpoints, and listen for the alarms to sound. Why aren’t we doing that to our cloud providers?
I had several RSA experiences that crystallized this omission. First, at a pre-RSA CISO Forum hosted by the ISSA, I had the pleasure of dining with several large company CISOs. Invariably, the cloud topic surfaced and brows began to furrow. At the same event last year Philippe Courtot, CEO of Qualys, a pioneering advocate of cloud computing, offered a controversial challenge to the same CISO group: Get on the cloud bandwagon or be overrun by it. Philippe challenged the CISOs to find ways to insist on security assurances as part of cloud deployments.
One year later, seated at the same dinner, I asked my dinner companions what they were doing to ease their concerns over cloud implementations. Were they doing any cloud security testing? How were they verifying that their critical data and applications were secure? This is when the shoulder shrugging started. One security executive, responsible for risk management had the plaintive look that comes from having full accountability for the security of his organizations information systems and data, but total loss of control of it as it headed into the Cloud-o-Sphere. “It’s not my problem anymore,” is exactly what he said, although his expression revealed that he knew that was not true.
The second experience came at our annual RSA Core Customer Community (CCC) gathering. At this meeting, Core’s Alex Horan outlined the latest features in CORE IMPACT v11 and previewed Core’s new automated enterprise-wide security testing and measurement platform, CORE INSIGHT. Beyond product roadmap updates, the CCC offered ample opportunity for our customers (who now number over a 1,000), to discuss areas of concern. It was then that the issue of cloud security testing surfaced. A quick show of hands had cloud initiatives in place at about 75% of the organizations represented. When asked about testing provisions and security verifications that were in place, the eye rolling began and shoulders’ shrugged again. I began to ask questions based upon recommendations for cloud security testing put forth by my colleague, Milan Shah, Core’s SVP of Engineering and Products, in his blog post of the previous week. In that post Milan outlined three simple ways to begin to address the angst about cloud security.
1.Know what defenses and protections your cloud provider has put in place.
2.Test your cloud instances in the same way that you would test your on-premise infrastructure.
3.Specifically identify security intelligence that you want benchmarked and measured for your organization’s deployments.
I asked if our customers, many of whom are penetration testers, who are more aggressive about security than the average security pro, whether they were doing any of this. Blank stares, more shrugs, and embarrassed silence. Few had asked about their providers’ defenses and fewer knew that they could test their cloud providers themselves. With one exception: a widely recognized security consultant, pen tester, SANs instructor, and long-time customer of Core shared his experience. As a consultant, he told the group, he conducts pen tests regularly against cloud providers on behalf of his clients. In particular, he outlined the simple process that Amazon AWS has put in place to sanction pen testing. Amazon encourages their clients to test EC2 hosted Instances. They are both confident in the vast security measures they have put in place and eager to allow customer to verify the security of Amazons’ infrastructure by subjecting themselves to the testing regimes of security consultants using penetration testing techniques and tools like CORE IMPACT and others.
My message to the shruggers and eyerollers is that you are in a position to ease the concerns about cloud security by conducting tests, establishing benchmarks, and making demands of your cloud providers to share their security provisions and controls. They acknowledge that for cloud computing to reach its potential, security concerns must be addressed. Here at Core we will continue to encourage security professionals to extend the methods they have long-used to test their own security to the Cloud and to demand the same of their cloud service providers. Stop shrugging and start testing.